Injection

user input is interpreted as ACTUAL COMMANDS or PARAMETERS by application.

Injection attacks depends on technologies used and how input is interpreted

• SQL - SQL Injection
  -> Occurs when user input is passed to SQL queries.
  -> Attacker can pass in SQL queries to manipulate outcome of queries.

• Command Injection
  -> Occurs when user input is passed to system commands
  -> Attacker can execute system commands to application servers.

If attacker successfully passed input and interpreted correctly

• If input passed in SQL Database
  -> Access, Modify, Delete Info
  -> Can steal sensitive info
• If input passed in Server
  -> Allow an attacker to gain access to users’ systems
  -> Steal sensitive data and more attacks to infrastructure linked to server

user input must NOT INTERPRET as queries/commands
Different ways we can do it and is shown below

• Using an allow list
  -> Input is sent to server then compared to list of safe input(allow list)
  -> If Input is marked as safe, safely proceed.
  -> Otherwise, rejected and throw application error
• Stripping Input
  -> If input contains dangerous characters, these characters are removed