A1 INJECTION

Injection flaw occurs when an interpreter takes data as a query or command and executes it.

Types of Injection:

1. SQL Injection
2. LDAP Injection
3. OS Injection 

1.SQL Injection: In SQL injection, attacker take advantage of badly configured database. i.e. if you pass any data to the database it will take it as a query instead of taking it as a data and it will execute that query to give some result to the end user.
          Taking advantage of SQL injection, any person/attacker can access the database or even in worst condition, he can manipulate or delete data.

Types of SQLi:

1. Error based SQLi
2. Blind SQLi
• Boolean
• Time Base

Impact of SQLi:

1. Attack on Confidentiality
2. Attack on Integrity
3. Attack on Availability

2.LDAP Injection: In LDAP injection, if application is taking user input to generate any query then attackers take advantage of this to generate their desired LDAP query. A secure Web application should sanitize the parameters introduced by the user before constructing and sending the query to the server. In a vulnerable environment these parameters are not properly filtered and the attacker can inject malicious code.

          LDAP injection attacks are based on similar techniques to SQL injection attacks. 

3.OS Injection: OS injection or OS command injection vulnerability occurs when a developer uses invalidated user controlled parameters to execute operating system commands. OS command injection vulnerabilities allow attackers to run arbitrary commands on the remote server.

Detectability  :  Average

Exploitability  :  Easy

Impact           :  Severe

How to Prevent:

1. Use a Safe API
2. Carefully escape special characters using the specific escape syntax.
3. Implement “White list” input validation.