Manual testers always try to test all possible situations that could broke an application or compromise user data. Because of that a manual tester should not think just as an ordinary user, but as individuals who will try to break the application or just to hack the application for user information. There for, applications should be tested from security perspectives, especially defense against injection attacks.
Injection attacks refers to a group of attack vectors that allow the attacker to supply untrusted input to a program. These inputs will be processed by an interpreter as part of a command or query, which will be executed. These methods are amongst the oldest and most dangerous web application attacks.
The most widespread injection attacks are SQL injection (SQLi) and Cross-site Scripting (XSS) injection attacks, especially in legacy applications. They can result in data theft, data loss, loss of data integrity, denial of service, as well as full system compromise. I mentioned these two attack methods, because their attack surface is huge. Understanding the way, they work is easy, and for those who are unexperienced, a lot of add-on tools are provided to abuse these vulnerabilities automatically.
The following is a list of the most common injection attacks. The list doesn’t contain SQLi and XSS because these two will be introduced in a separate blog post, where some of the most used automated add-on tools will be tested, too.
|· Code injection:||Executing operation system commands while running web application. Higher privileges can be gain for compromising the full system.|
|· CRLF injection:||Injects Carriage Return and Line Feed character sequence. Useful together with XSS injection.|
|· Email injection:||Injects IMAP/SMTP statements to a mail server that is not directly available via a web application.|
|· Host header injection:||Abuses the implicit trust of the HTTP Host Header|
|· LDAP injection:||Inject Lightweight Directory Access Protocol statements.|
|· XPath injection:||Inject data into an application to execute crafted XPath queries which can be used to access unauthorized data and bypass authentication.|
To perform a successful injection attack, the attacker needs to place data what will be interpreted as common input. For this thee elements are necessary:
- Because the injection attacks are dependent on the programming language used for the application, this is the first think what has to be determine.
- All possible user inputs should be identified, to know our options where to attack
- Find the weakest input where the application can be the most easily attacked – this is the hardest part.
Knowing these basic thinks could help do a better work as a manual tester, and help the developers find the weak places of the application. It is not necessary to become a professional attacker, but with few basic tools security issues could be found before a real attack attempts.