Injection 101

One of the most well-known classes of vulnerabilities tends to be injection vulnerabilities, especially, and surprising no one, the undisputed poster-child: SQL Injection. It’s hard to avoid hearing about SQL injection in the tech world, so we’re just going to talk about it. 

With SQL Injection, it’s possible to manipulate the behavior of an SQL query into doing the bidding of an attacker. 

There are also many other types of injection that, while different on their surface, all work based on the same principle. 

Just to recap, some of the most common injection types are:

  • SQL Injection
  • Cross-Site Scripting (HTML/Javascript injection)
  • Path Traversal (Path/Url injection)
  • Command Injection
  • Code Injection 

A Little Injection 101

If you look at the previous list of injection types, they all have one thing in common: they all involve a string, which is run through an interpreter, which then does whatever the string represents. We've marked "user input" with curly brackets.     

Type Example input How it’s interpreted
SQL SELECT name FROM users WHERE username = '{admin}' Selects the "Name" column from all rows from the users table where the username is 'admin'
HTML <b>{John Smith}</b> Shows the name "John Smith" in bold letters
Path /var/www/app/documents/{privacy-policy.pdf} Points at the file `privacy-policy.pdf` in the `/var/www/app/documents/` folder
Command ping {8.8.8.8} Sends a series of ICMP pings to the IP `8.8.8.8`
Code const name = '{John Smith}'; Sets the constant variable `name` to the value `John Smith

So, what would happen if the insertion of user input was insecure? What could an attacker do? Again, everything within the curly brackets comes is considered “user input” in this scenario.

Type Example input How it’s interpreted
SQL - Injected SELECT name FROM users WHERE username = '{1' UNION SELECT passwordhash from users WHERE username = 'admin}' Selects the "Name" from all rows from the users table where the username is 'admin', and the password hash for the users where the username is 'admin'
HTML - Injected <b>{<script>alert("XSS");</script>}</b> Show the name "John Smith" in bold letters
Path - Injected /var/www/app/documents/{../../../../../etc/shadow} Points at the file `shadow` in the `/etc/` folder
Command - Injected ping {8.8.8.8 && ls . } Sends a series of ICMP pings to the IP `8.8.8.8`, and prints the contents of the current directory with `ls`
Code - Injected const name = '{John Smith'; exec('ls .'); # }'; Sets the constant variable `name` to the value `John Smith`, and then executes the system command `ls .

In these examples, take note of how the input can be used to influence the result from the user input. 

This is the essence of what injection is. It's influencing what gets passed to the interpreter, in order to get it to do something other than what the original programmer intended.

Those are just the basics to consider. We’ve separated some of the different injection types onto their own pages because they deserve a little more attention. 

You can find them here:

Command injection

Path traversal

SQL injection

Cross-Site Scripting

check

Secure Code Warrior Learning Platform

Discover the Secure Code Warrior Learning Platform

We secure software through developer-driven security at the start of the software development lifecycle.

Visit Secure Code Warrior