When it comes to protecting your website from bad actors, there’s one threat you should be aware of: injection attacks. These attacks target weaknesses in your website’s security and are unfortunately quite common. In fact, the well-known organization OWASP ranks injection attacks as the third most significant risk to web application security.
Simply put, injection attacks happen when hackers find a way to sneak harmful data or commands into your website’s code. This can be done in various ways, but the main idea is that the attacker takes advantage of unverified information provided by users (like logging into your site or filling out a form) to cause damage.
The type of damage incurred to your environment depends on the attacker’s goals and the vulnerability they exploit. Bad actors might try to access your website’s database, interfere with how your site functions, bypass security measures, or even take complete control of your website. The consequences of a successful injection attack can be severe, ranging from data breaches (theft) to rendering your site unusable.
So, as a website owner, it’s essential to be aware of injection attacks and take steps to prevent them from happening to your site.
Let’s take a look at the top ten most dangerous injection attacks.
- Cross-site scripting
- SQL injection
- Remote code execution
- Host header injection
- LDAP injection
- XXE injection
- Server-side template injection (SSTI)
- CRLF injection
- Mail command
- NoSQL injection attacks
Cross-site scripting
When a website or app takes information from a user and includes it in the content it displays without checking or altering it, it can create an opening for cybercriminals to sneak harmful code into the site. This type of attack, known as Cross-Site Scripting (XSS), allows hackers to insert malicious scripts into trustworthy websites, which then gets passed along to other users.
The problem is that the victims’ web browsers don’t know that the harmful script shouldn’t be trusted, so they run it as if it were a normal part of the website. This can let the malicious script access personal information stored by the browser, such as login details or cookies. If the script is cleverly designed, it might even change the content of the website itself.
XSS attacks generally fall into two main categories: stored and reflected.
In stored XSS attacks, the harmful script gets saved on the target website — for example, in a forum post, database, or visitor log. Victims encounter the script when their browsers request the affected content from the site. In reflected XSS attacks, the malicious script bounces back as part of a response that includes the victim’s input, such as an error message or search result.
SQL injection
SQL, or Structured Query Language, is a programming language used to communicate with databases to perform various actions, such as retrieving, deleting, and saving data. Unfortunately, attackers can exploit this language to gain unauthorized access to your data through SQL injection (SQLi) attacks. These attacks typically occur when a hacker manipulates the SQL query in a web application by entering malicious code into web form input fields, comment sections, or other areas accessible to users.
When an attacker successfully manipulates an SQL query, they can exploit vulnerabilities in the authentication and authorization procedures of a web application. If successful, the SQL database will execute the malicious commands injected by the attacker. Depending on the type of SQL injection, the attacker can read, modify, add, or delete data from the database, potentially causing significant damage to your website and its users.
To execute an SQL injection attack, the hacker inserts an SQL script into a text input field, which is then sent to the web application. The application, unaware of the malicious nature of the script, executes it directly on the database. This can lead to a range of negative outcomes, such as allowing the attacker to bypass login screens, access sensitive data, modify or destroy database information, or even perform administrative operations on the database.
Remote code execution
Remote code execution (RCE), also known as code injection vulnerability, occurs when attackers manage to input their own application code into your website, causing the server to execute it. For instance, if your website is built using PHP, hackers can inject malicious PHP code that will be executed by the PHP interpreter on your web server.
Common methods of RCE include:
- Code Injection: Attackers inject malicious code into a website or application through input fields, query parameters, or other user-supplied data points. This code is then executed by the server, leading to RCE.
- File Upload Vulnerabilities: If a website allows users to upload files without proper validation, an attacker can upload a malicious script disguised as an image or other file format. Once uploaded, the attacker can execute the script to perform RCE.
- Third-party Software Vulnerabilities: Websites often utilize third-party plugins, themes, or other software components. If these components are not regularly updated or have known security flaws, attackers can exploit them to achieve RCE.
- Server Misconfigurations: Poorly configured servers can allow attackers to exploit security weaknesses, such as weak file permissions or exposed management interfaces, to gain unauthorized access and execute code remotely.
Host header injection
A host header injection is a type of web application attack that involves adding or modifying the Host header in an HTTP request in order to trick the web server into processing the request in a way that is not intended.
The host header is a mandatory field in an HTTP request that specifies the domain name or IP address of the server that the client is communicating with. It is used by the server to determine which virtual host or website the client is requesting.
In a host header injection attack, an attacker manipulates the host header to point to a different domain than the one originally intended. This can allow the attacker to:
- Bypass security controls that rely on the domain name in the Host header
- Conduct phishing attacks by making the victim believe they are interacting with a legitimate website
- Exploit vulnerabilities in the web server or application by manipulating the Host header to trigger unexpected behavior
LDAP injection
The Lightweight Directory Access Protocol (LDAP) is a protocol designed to enable the search for resources (files, devices, or users) within a network. It is highly beneficial for intranets and, when incorporated into a single sign-on system, can store usernames and passwords. LDAP queries utilize special control characters that influence its functionality. Attackers may alter the intended behavior of an LDAP query if they can insert control characters into it.
LDAP is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. It is commonly used for authentication, authorization, and accounting purposes in web applications.
In an LDAP injection attack, an attacker sends malicious input to the web application that is not properly sanitized or validated. This input can then be used to modify or bypass the LDAP queries used by the application to authenticate users or access directory services.
LDAP injection attacks can result in various consequences, including:
- Compromising sensitive data stored in the directory, such as user credentials or other confidential information
- Gaining unauthorized access to the system or application
- Executing arbitrary code on the server
XXE injection
XXE injection, or XML External Entity injection, occurs when a website accepts XML inputs without proper security measures in place. If your website processes XML documents and supports old-style document type definitions (DTDs) with weak security, attackers can use specially crafted XML documents to carry out various attacks.
Some of the actions an attacker can perform by exploiting XXE injection vulnerabilities include:
- Accessing sensitive files on the server or other systems accessible to the server
- Retrieving data from internal or external systems through HTTP requests
- Executing arbitrary code on the server or other systems
- Conducting denial of service (DoS) attacks by overloading the server with requests
In contrast to some other attacks that exploit poor validation of user input, XXE injections take advantage of unsafe legacy features in XML parsers, making them particularly dangerous. Therefore, it is crucial to prevent XXE injection attacks by implementing proper security measures and following best practices when handling XML input.
To protect your website from XXE injections, there are several steps you can take. First, you should disable support for DTDs or, at the very least, external entities. This can significantly reduce the risk of XXE injection attacks, as external entities can be used to load malicious content into your website.
Additionally, you should validate and sanitize user input to prevent malicious XML documents from being accepted by your website. This can be achieved by implementing input validation and sanitization procedures, such as removing or encoding certain characters that may be used to inject malicious code.
You should also use secure XML parsers that are not vulnerable to XXE injection, such as modern parsers that have built-in protection against this type of attack. This can help ensure that even if a malicious XML document is accepted by your website, it will not be able to exploit any vulnerabilities in the parser.
Server-side template injection (SSTI)
Server-side template injection (SSTI) is a type of attack that occurs when a hacker injects malicious code into a website’s template, allowing them to execute arbitrary code on the server. This happens when the server-side application fails to properly validate user input before it is mixed with the template engine.
Template engines are used by web developers to generate dynamic web pages by combining templates with data models. They allow developers to easily display information about products, users, and other dynamic content. However, if the web application does not validate user input correctly, an attacker can inject a harmful SSTI payload into the template, leading to remote code execution (RCE). This means that the attacker can take control of the server remotely.
Some popular template engines include Liquid for Ruby, Smarty and Twigs for PHP, Tornado, JINJA, and Mako for Python, Velocity and Freemaker for Java, and Jade and Rage for JavaScript.
SSTI attacks are particularly dangerous because they allow attackers to execute arbitrary code on the server, potentially accessing sensitive data and taking control of the entire system.
CRLF injection
A CRLF injection is when an attacker adds unexpected Carriage Return Line Feed (CRLF) characters to input data that is not properly sanitized or filtered. When used to split an HTTP response header, this attack is called HTTP Response Splitting. Attackers can use specially crafted text streams containing CRLF injections to trick web applications into carrying out unintended and potentially harmful actions, ranging from moderate to severe consequences.
This vulnerability is exploited by inserting CRLF sequences in a text stream to break it up and add unexpected text sequences that the application is not designed to handle. These injections can result in security breaches and significant damage. CRLF injection targets application layer security flaws, and attackers can exploit it to alter application data, compromise its integrity, and exploit other vulnerabilities such as proxy and web server cache contamination, client web browser corruption, defacements, XSS flaws, and hijacking the client’s session.
Mail command injections
Mail command injection is a type of attack that targets email servers and applications which use IMAP or SMTP protocols and fail to validate user input properly. Compared to web servers, IMAP and SMTP servers often lack robust security measures, making them more vulnerable to exploitation. By infiltrating a mail server, attackers can bypass security features like captchas and request limitations.
To carry out a mail command injection attack, the attacker first needs a valid email account, which they can use to send messages containing injected commands. If the server is vulnerable, it will respond to these requests, allowing the attacker to bypass server restrictions and use its services for malicious purposes, such as sending spam emails.
In addition to SMTP injection, attackers also use IMAP injection to exploit webmail applications by exploiting message reading functionality. In this case, attackers input a URL containing injected commands into the address bar of a web browser, causing the server to execute these commands. The consequences of mail command injections can be severe, ranging from unauthorized access to sensitive information to service disruptions.
NoSQL injection attacks
NoSQL injection attacks refer to a type of cyber attack that targets non-relational databases, which do not rely on the SQL query language. NoSQL databases use a variety of product-specific query syntaxes that are written in the application’s programming language, such as PHP, JavaScript, Python, or Java. NoSQL injection attacks occur when attackers exploit unsecured user input processing and manipulate or replace these queries, allowing them to potentially execute harmful commands not only in the database but also within the application itself.
Unlike SQL injections that only affect the database, NoSQL injections can have a wider range of effects as they can potentially access and modify not only the data but also the application logic. As a result, attackers can gain unauthorized access to sensitive data, modify or delete data, bypass authentication and authorization controls, and execute remote code execution attacks, among other harmful actions.
How to prevent an injection attack
Secure coding practices are essential to protecting your website from injection. The following strategies can help you safeguard your website from these threats:
- Validate user inputs: Create an allow-list of valid statements and configure user data inputs based on context. This helps to ensure that only permitted inputs are accepted by your web application.
- Utilize prepared statements: Employ parameterized queries in conjunction with prepared statements to differentiate between code and user input. This prevents user input from being misinterpreted as commands.
- Implement stored procedures: Define and store procedures in the database, which can then be called from the web application as needed. This provides an additional layer of security by limiting direct access to the database.
- Restrict special characters: Disallow the use of string concatenation by limiting special characters in user input. This reduces the risk of malicious code being injected into your application.
- Escape user-supplied input: As a last resort (according to OWASP), escape all input provided by users to prevent any potentially harmful code from executing.
- Minimize the attack surface: Remove any unnecessary features or functionalities in your application that could potentially be exploited by attackers. By doing so, you reduce the number of areas that need to be guarded.
- Apply the principle of least privilege: Grant only the necessary privileges to user accounts and strictly enforce access controls. This limits the potential damage caused by a compromised account.
- Leverage a web application firewall: A web application firewall can help virtually patch vulnerabilities to protect your website against cross-site scripting, RCE, SQL injections, and block malicious requests.
- Use encryption and hashing: Implementing encryption and hashing techniques can help protect sensitive data from being accessed or manipulated by attackers. This includes encrypting passwords, sensitive data in transit, and data at rest.
- Implement multi-factor authentication: Adding an extra layer of authentication can help prevent attackers from gaining access to user accounts, even if they have managed to obtain login credentials through an injection attack.
- Keep software up to date: Regularly update your web application and server software to ensure that any known vulnerabilities are patched, and the latest security features are implemented.
- Educate developers and any contributors: Providing training and education to developers and any contributors on best practices for secure coding and safe browsing habits can help prevent injection attacks and other security breaches.
The responsibility to prevent injection attacks is distributed among website administrators, application developers, and server admins. Consequences of these attacks can result in harmful code being executed in the environment — and in some cases even lead to compromised admin accounts or full takeover of the server environment — highlighting the importance of following security best practices to mitigate risk.
If you believe your website has already been compromised and you need a hand cleaning up an infection and hardening your environment, we can help!