PranjalUncodes
OWASP Top 10 — INJECTION!!

OWASP Top 10 — INJECTION!!

Pranjal Ruhela's photo
Pranjal Ruhela

Open Web Application Security Project

In this post we’ll look into some common vunerabilities and how they can be exploited.

Photo by Ante Hamersmit on Unsplash

INJECTION

Injection flaws are very common and have a low severity but can be used to bring down a website and hurt its reputation. Injection depends on which technology is used and how it is interpreted. What an injection basically is can be understood as that the input put in by a user is taken as commands by an app.

Examples →

  1. SQL Injection : When user input is taken as an SQL query or a parameter to one.
  2. Common Injection : Similar to SQL Injection the user(attacker) can manipulate the commands and take control of a web server.

Harm caused can range from deletion of a database, stealing of sensitive information to even getting control over the users’ systems.

The main defence for preventing injection attacks is ensuring that user controlled input is not interpreted as queries or commands. There are different ways of doing this:

  • Using an allow list: when input is sent to the server, this input is compared to a list of safe input or characters. If the input is marked as safe, then it is processed. Otherwise, it is rejected and the application throws an error.
  • Stripping input: If the input contains dangerous characters, these characters are removed before they are processed.

OS Injection → A scenarion when the server side scripting language code interacts with the host system to take over and execute OS commands on the system. The attacker can execute whoami and impersonate or imitate the user the server is running as. This opens up many paths to an insecurity loving attacker.

A shell is a user interface for access to operating system services. A reverse shell is a remote shell, where the connection is made from the system that offers the services to the client that wants to use these services. Attackers can also use web shells instead of reverse shells.

Blind command injection occurs when the system command made to the server does not return the response to the user in the HTML document. Active command injection will return the response to the user. It can be made visible through several HTML elements.

Check these linux commands…

[Pipe, Grep and Sort Command in Linux/Unix with Examples
In this tutorial, we will learn- The Pipe is a command in Linux that lets you use two or more commands such that output…guru99.com](https://www.guru99.com/linux-pipe-grep.html "guru99.com/linux-pipe-grep.html")