Injection attacks are attacks that take advantage of your system and try to execute some harmful executables on your system. To execute a malicious application on your system they try to enter your system somehow.
Attackers Inject them into your system by taking advantage of vulnerabilities present in your system.
There are many kinds of Injection attacks and some of the most common are :
- SQL Injection
- Cross-site scripting injection
- Code injection
- OS command injection
- LDAP Injection.
How Injection attacks work?
So the basic thing that is common in all types of injection attacks is the entry point for the malicious executables instructions to enter your system or website. The entity who plans an attack on your website they first try to find out what is your system’s built-in components like your database, your OS, your programming language.
For example :
SQL Injection will take advantage of your database to enter your system.OS command Injection will use your operating system entry points. Cross-site scripting will use your programming language compatibility.
In short, every injection attack has a specific area where it attacks and once it gets the entry it can cause a lot of damage to your system and to your reputation as a software developer.
How to prevent Injection Attacks?
1.Incoming Data Verification & Validation
Injection attacks are induced by some data, so to prevent an injection attack we need to design and develop our application or website in such a way that where we make sure any data that is incoming to our application should be validated before it gets processed. Broadly speaking there is two types of validations that every application and website should do:
- Positive validation – This means the application or website should validate the data to see that are we expecting this data or not. Is this data allowed? Is this data authentic? so we should filter all the positive aspects. If it passes all the expected results check then only allow this data.
- Negative validation – This means the application or website should block the data by checking what is not allowed. In this, we can validate what is not expected and what is not allowed. If we detect any of the negative aspects we should not allow our application to process this data.
In short , what is allowed and what is not allowed both are important to protect any application against an attack.
2.Limited access privileges
If by chance attacker is able to inject malicious data into your application or website, then the second layer of protection should block this data. This second layer is the access privilege on your application. We should not allow full access privileges to a user. There should be some privilege levels set in our application to limit access.
For Example, to execute an executable on our system a hacker will need admin level access, but if we have secure password protection for the admin user and we have set security to not allow a normal user to access admin operations then we can still block the attack even after our system got injected with attacking data. For databases, this is very important to limit the user rights and execution access.
3.Prepared statements and stored procedures
To access and perform certain operations in your application you need queries to run, and this can be done in two ways. One is by using the prepared statements or stored procedures.
This is fully supported in the source code itself by the developers. This is also tested and verified by you before you release your product. The second way is to allow dynamic query generation and executions. This second approach brings the risk as we are passing control to users to provide data to run the queries.
The best practice is to avoid the dynamic query generations, but if it is a must for your application then you should take measures that whatever data is provided by the user does not have any commands that can cause severe damage to your systems.