What are injection flaws?

Injection flaws are a security vulnerability that allows a user to gain access to the backend database, shell command, or operating system call if the web app takes user input. Hackers append additional information within these input boxes and can create, read, update, or delete data. They may be able to append complete scripts into applications and can, therefore, execute such commands.

There are many types of injection flaws:

  • SQL Injection
  • XML Injection
  • HTML Injection
  • OS Command Injection
  • LDAP Injection
widget

Implementation

The following command can be added to access an account of a user using SQL Injection.

In the password column, type:

abc' OR 1==1 --

The backend SQL command is:

 SELECT * FROM users WHERE email = \$email AND PASSWORD = sha256($password)

Here, when the user adds the value or email and password, the command becomes:

 SELECT * FROM users WHERE email = abc@j.com AND PASSWORD = sha256(abc') OR 1==1 -- )

Since the above command contains 1==1, which is always true, the system grants access to the email, abc@h.comabc@h.com.

How to prevent injection attacks

There are many ways to protect against an Injection flaw:

  • Validation: Check that the input is similar to what is expected, e.g, J<o>hn is not a valid name and, therefore, < and similar characters should not be allowed.
  • Encode: Certain characters such as ' are allowed within names. Thus, these characters should be encoded before transmitting to the back end, e.g., John O’Leary must be transmitted as John O%27Leary if URL encoding is used. This would ensure that the database does not treat ' as an ending quote, but rather as a string. However, it is important to decode the string before it’s displayed on the screen.
  • Tools: Make use of prepared statements that prevent such attacks. These statements are applicable in java, PHP, SQL, and many other languages. The following suggests how to use Prepared Statements.
//name
String name = request.getParameter("name");
//validation
String query = "SELECT account_balance FROM users WHERE username = ?";
PreparedStatement a = connection.prepareStatement(query);
a.setString (1, name);
a.executeQuery();

This automatically applies validation on usernames and prevents any invalid characters. The syntax also prevents hackers from gaining access to other unauthorized information.

Copyright ©2024 Educative, Inc. All rights reserved

Learn in-demand tech skills in half the time

PRODUCTS

Mock Interview

New

Courses

Skill Paths

Projects

Assessments

TRENDING TOPICS

Learn to Code

Tech Interview Prep

Generative AI

Data Science

Machine Learning

GitHub Students Scholarship

Early Access Courses

Blind 75

Pricing

For Individuals

Try for Free

Gift a Subscription

CONTRIBUTE

Become an Author

Become an Affiliate

Earn Referral Credits

RESOURCES

Blog

Cheatsheets

Webinars

Answers

ABOUT US

Our Team

Careers

Hiring

Frequently Asked Questions

Contact Us

Press

LEGAL

Privacy Policy

Cookie Policy

Terms of Service

Business Terms of Service

Data Processing Agreement

INTERVIEW PREP COURSES

Grokking the Modern System Design Interview

Grokking the Product Architecture Design Interview

Grokking the Coding Interview Patterns

Machine Learning System Design

Tiktok Streamline Icon: https://streamlinehq.com

Copyright ©2024 Educative, Inc. All rights reserved.

soc2