Injection-Based Vulnerabilities

SQL Injection Vulnerabilities

SQLi vulnerabilities can allow attackers to view, insert, delete, or modify database records. The attacker injects SQL commands via input fields in an app or URL. SQL statements are divided into the following categories:

• Data Definition Language (DDL) statements

• Data Manipulation Language (DML) statements

• Transaction Control Statements

• Session Control Statements

• System Control Statements

• Embedded SQL Statements

The most common SQL statements are:

• SELECT: obtain data from database

• UPDATE: update data in database

• DELETE: delete data in database

• INSERT INTO: insert new data in database

• CREATE DATABASE: create a database

• ALTER DATABASE: modify a database

• CREATE TABLE: create a table

• ALTER TABLE: modify a table

• DROP TABLE: delete a table

• CREATE INDEX: create index or key search element

• DROP INDEX: delete an index

There are three primary types of SQL injection, and five main techniques. The three primary types are:

1. In-Band SQLi: attacker obtains data via the same channel used to inject the code. This is the most basic form.

2. Out-of-Band SQLi: attacker obtains data via a different channel, for instance, an email, text or other system.

3. Blind (Inferential) SQLi: attacker does not directly obtain any information, but is able to reconstruct it by sending specific statements.

The five main techniques are:

1. Union Injection: used when an SQLi vulnerability allows a SELECT statement to combine two queries into a single result.

2. Boolean: used to verify if conditions are true or false.

3. Error-Based Injection: used to force the database to generate an error to enhance and refine attacks.

4. Out-of-Band Injection: using a HTTP connection (or other means) to get query results somewhere other than on the web server.

5. Time Delay: commands can be used to delay answers, which can clue the attacker into a SQLi vulnerability.

Command Injection

Command injection is when an attacker is allowed to execute commands that they are not supposed to be able to execute. This is possible when an application does not sanitise or validate user input via forms or other elements.

Command injection allows attackers to execute commands with the privilege level of the app. This is not as common as it was in the past as most modern app frameworks have good defenses against these attacks.

Lightweight Directory Access Protocol (LDAP) Injection

LDAP injection occurs when unsanitised user input is passed directly into an LDAP statement. LDAP vulnerabilities could allow attackers to modify the LDAP tree and business critical information. There are two general types of LDAP injection attacks:

• Authentication Bypass: Most basic LDAP attacks launched to bypass password and credential checking.

• Information Disclosure: Attacker can inject crafted LDAP packets to list all resources in a directory.