Injection

A type of attack where untrusted data is sent to an interpreter, which can manipulate it to execute unintended actions. Normally, it occurs when we find a way of sending HTML, CSS, JS code, database queries, and others; via a request, a form, website URL, among others.

We can find several ways of carrying out this type of attack:

• Cross-Site Scripting (XSS): Injects malicious JavaScript code into a web page

• SQL Injection (SQLi): Injects malicious SQL queries into a database, poisoning structured database queries based on SQL with the user input, or even NoSQL database queries

• Command Injection: Executes arbitrary system commands on a server or application

• Server-Side Template Injection (SSTI): Inject template syntax user that is improperly handled or validated to applications that use template engines

• LDAP Injection: Manipulates LDAP queries for unauthorized directory access

• XPath Injection: Alters XML Path Language (XPath) queries for unauthorized access to XML data

• XXE Injection: Manipulates XML data or queries to inject malicious data

• SMTP/Email Injection: Exploits vulnerabilities in email systems to inject malicious emails

• Expression Language (EL) Injection: Injects malicious input into Expression Language (used in Java-based applications)

• CRLF Injection: Injects carriage return and line feed characters into HTTP headers to manipulate responses