What is an Injection Attack?

An injection attack happens when an attacker or malicious user intentionally enters dangerous or malicious input data with intention of creating a condition that was beyond the scope of the systems design. For example an attacker my attempt to include dangerous special characters as user supplied input to expose error messages or perform proof of concept injection attacks.

How Do Injection Attacks Happen?

Injection attacks happen when an application failed to perform input validation to filter user supplied input, allow an attacker to injection malicious input into an application.

Different Types of Injection Attacks

Dangerous or malicious input could include code, scripts and commands, which if the application fails to correctly validate correctly could be used to exploit various application vulnerabilities, some of which are included within the OWASP Top 10.

Injection Attack Examples:

• Cross-Site Scripting (XSS)
• SQL Injection (SQLi)
• NoSQL Injection
• XML Injection
• LDAP Injection
• Code Injection
• OS Command Injection
• Host Header Injection (CRLF)
• Local File Inclusion (LFI)
• Remote File Inclusion (RFI)
• Server-Side Injection (SSRF)

Input Validation should not be the primary method of preventing injection attacks, but could be used as used a defense in depth approach which if correctly implemented could significantly contribute to reducing the impact.