What are the common injection attacks? And what are the prevention mechanisms against injection attacks?
Injection attacks are a type of cyberattacks where an attacker attempts to send data to an application in a way that will probably change the meaning of the commands being forwarded to an interpreter. In an injection attack, a cybercriminal supplies untrusted input to a program and attempts to gain unauthorized access to resources. And the malicious input gets processed by the program interpreter as part of a command or query statement and changes the normal execution of the program. Furthermore, injection attacks may cause data theft, denial of service (DoS), loss of data integrity and full system compromise and control by the malicious actors. Besides, the primary reason behind injection vulnerabilities and exploitation is often insufficient and improper input validation by program developers. And it is mainly a web application vulnerability that allows a cyberattack to insert malicious input into an application or relay malicious code through an application to and system or application.
Common injection attacks include:
- SQL injection
- Code injection
- Email Header Injection
- Host Header Injection
- OS Command injection
- Cross-site scripting (XSS)
- LDAP Injection
- Carriage return linefeed (CRLF) injection
- Mail or SMTP/IMAP Command Injection
- Cascading style sheet (CCS) Injection
Mechanisms to prevent injection attacks include the following:
- Data or input validation
- Authorize users and apply least privilege principle
- Avoid Accessing External Interpreters
- Handle Exceptions and Returned Status Codes
- Use stored procedures or prepared statements
- Limit special characters
- Minimize attack surfaces