T 5.174 Injection attacks

Within the framework of an injection attack, an attacker tries to inject commands into the web application and to execute these. In this, the attack is normally directed against an interpreter and/or the parser used by the web application.

If, for example, incoming data of the web application is validated insufficiently, input (e.g. form data, cookies, or HTTP headers) may be selected in such a way that they are interpreted as commands by the web application and the used interpreters and/or parsers (e. g. SQL database, LDAP directory service). This way, unauthorised commands for reading or manipulating data may be transmitted.

If any system commands can be executed by means of injection, the attacker can use the web application as a substitute for a system shell. In this, the sent system commands are normally executed within the security context and therefore with the privileges of the web application or the used interpreter and/or parser.

Injection attacks are classified in types of attacks on the basis of the attacked interpreters/parsers. The following examples illustrate this classification:

• SQL injection (see also T 5.131 SQL injection)
• LDAP injection
• Mail-Command injection
• OS-Command injection
• SSI injection
• XPath injection
• Code injection