Injection flaws lead to attackers gaining access to backend database, shell command, and operating system call. There are numerous injection flaws like SQL, XML, HTML, LDAP and OS command. Injection flaws occurs when web app takes improper user input. Attackers can append extra scripts in these input boxes that can modify, read, create, and delete data leading to command execution.
For example, in SQL injection, attackers can add ” or 1==1– in the password column” after the password. See example below.
SELECT * FROM users WHERE email = enhanceandgo@hotmail.com AND PASSWORD = sha256(123321′) OR 1==1 — )
Since 1==1 is true, the system will be tricked to grant access to the email.
There are numerous ways to prevent injection attacks like validating user’s inputs. There should be certain characters that should be preventeed in regular input boxes. You can also encode user inputs and user prepared statements.
HansITAcademy 