Injection Attack

Question :

• What is Injection Attack?

• What are the types of injection attack?

• What is mechanism used for Injection ?

• What are other types of injection attack ?

• What is motive behind the injection attack?

• What are the impacts of injection attack?

• How prevent the injection attack through test ?

• What is the accessibility and injection security ?

• What are the organization perspective for injection security ?

Answer :

Injection Attack

Injection attack is a type of attack where the attacker inserts fake or untrusted data into the interpreter which executes like an command on the web platform without any authorization. Basically Injection attack is related with the SQL Database. Attacker inserts the code into the SQL database through the web to get the sensitive administrative information to access the critical or private data from the SQL Database. For example, SQL injection attack of Microsoft Internet Information Web and SQL Database server performed by the attacker in 2008 where five Lac websites were attacked and exploited.

Types of Injection Attack

There are three categories of injection attack. These three categories of attacks are as follows.

• First order Injection - A malicCodeious string is used by attacker which cause to modify the code and execute on the database through web.

• Second Order Injection - A table row is injected by attacker as by considering the trusted source for injection by attacker.

• Delayed or Late Injection - The internal functions are modified by the attacker to inject the code into the implicit function.

Injection Mechanism

There are various injection mechanisms to perform the injection attack by the attackers. These mechanisms are as follows,.

• Code injection with the user Input.

• Code injection by the cookies

• Code injection by use of variable of server

• Injection of SQL query through web

Other Types of Injection Attack

• Shell Injection

• Injection of XML

• Injection Xpath

• Injection of LDAP

• Injection of SMTP

Injection  Attack Motive

The motive behind the injection attack by the attacker are detailed as follows.

• To know about the database schema connected to web Interface

• Getting data from the database system

• Modification and addition of data into the database

• Discarding the authentication to access the data items from database

Impact of Injection Attack

The impact of injection attack is very catastrophic in nature with following losses to the organization.

• Leak of the sensitive and critical information of organization

• Deletion or modification of the critical data

• Control loss on the database server

• Loss of the data

• Service denial

Prevention of Injection

Developer should apply the following the strategies while developing the code for database and web system by following ways.

• Coding of the web and database system must be defensive by employing security mechanisms

• Attack detection and prevention techniques should be in place with the web and database system.

Prevention of Injection Through Testing

The testing strategies should be employed to test the database and web system sufficiently to validate the security by various techniques of injections.

• Make sufficient input validation while testing.

• Perform different types of injection vulnerabilities to test robustness

Accessibility and Injection Security

• Apply constant access to the connected database through website

• Deploy web application firewall with port 443 to prevent the attacker to enter

• Filter all the inputs of the website users

• Apply to filter all email addresses.

• Limit the privilege on the database Organizational Perspective for Injection Security

• Use strong two way authentication mechanism

• Deploy the Authentication server with web application

• Train and educate the workers about the injection

• Deploy the administrative control over the web and database system