Description

An injection flaw is a vulnerability which allows an attacker to relay malicious code through an application to another system. This can include compromising both back-end systems as well as other clients connected to the vulnerable application.

The effects of these attacks include:

• Allowing an attacker to execute operating system calls on a target machine
• Allowing an attacker to compromise back-end data stores
• Allowing an attacker to compromise or hijack the sessions of other users
• Allowing an attacker to force actions on behalf of other users or services

Many web applications depend on operating system features, external programs, and the processing of data queries submitted by users. When a web application passes information from an HTTP request as part of an external request, set up a way to scrub and validate the message. Otherwise, an attacker can inject special (meta) characters, malicious commands/code, or command modifiers into the message.

While these attacks are not difficult to attempt, there are an increasing number of tools that scan for these flaws. An attacker can use these techniques to obtain, corrupt, or destroy the contents of your database, compromise back-end systems, or attack other users.

Successful injection attacks may completely compromise or destroy a system. It is important to test for and protect against these types of attacks.