OWASP A01 - Injection

Showing 14 articles

Showing 14 articles

#1

Code Injection



Scripting languages often have functions, such as eval(), that allow interpreting a string or a file as a part of the application. The danger of using these functions is that, under certain conditions...

#2

LDAP Injection



Lightweight Directory Access Protocol (LDAP) is a widely used protocol for accessing directory services. Directories provide a set of attributes about people that are organized in a hierarchical manne...

#3

XML External Entity (XXE) Injection



XML external entity (XXE) injection vulnerabilities occur when the XML processor allows the attacker to control data loaded into the XML document as "external entities." Some XML processors support a...

#4

Connection String Injection



Applications use connection strings to specify credentials used to access databases. If the application includes unvalidated user input in connection strings, an attacker might be able to change what...

#5

SQL Injection



SQL injection is a type of vulnerabilities in database access code that allows attackers to execute unauthorized queries on the database. SQL Injection vulnerabilities are caused by concatenating data...

#6

XQuery Injection



XQuery injection vulnerabilities occur when untrusted data is concatenated into XQuery queries, which allows the attacker to execute arbitrary queries. XQuery injection vulnerabilities are similar to...

#7

XPath Injection



XPath injection is a type of vulnerability that allows attackers to execute arbitrary queries on XML databases. XPath injection vulnerabilities are similar to SQL injection vulnerabilities, but they a...

#8

File Upload



File upload vulnerabilities allow attackers to upload malicious code. (Technically, allowing users to upload anything that the application's design doesn't account for can be considered a file upload...

#9

Remote File Inclusion



Remote file inclusion (RFI) occurs when the application executes a file located on an external server, which is usually controlled by the attacker. This enables the attacker to execute arbitrary code...

#10

XSLT Injection



XSLT injection occurs when the application concatenates untrusted data into an XSL stylesheet. This allows the attacker to manipulate the document that is produced when the XSL stylesheet is rendered...

#11

SSI Injection



Server-side Include Injection (SSI) vulnerabilities occur when the application allows creation of files that contain Server-side Include directives. If an attacker is able to create files that contain...

#12

Mail Command Injection



Mail command injection vulnerabilities occur when an application implements its own email client code and concatenates user data with email commands. There should be no reason to implement email clien...

#13

Command Injection



Applications often execute external commands as a part of their functionality. If the attacker is able to manipulate the choice of external commands or their parameters, the attacker will be able to a...

#14

XML Injection



XML injection occurs when an attacker is able to supply data to the application that is interpreted as a part of an XML document in a manner that violates the intended use of XML by the application. X...