Category: Injection

Command Injection: The Good, the Bad and the Blind

Command Injection vulnerabilities are a class of application security issue where an attacker can cause the application to execute an underlying operating system command. For that reason it’s generally a high impact issue. It can be exploited simply by chaining commands along with the expected input by using shell control characters such as:

 ` & or |

Continue reading: Command Injection: The Good, the Bad and the Blind

SQL Injection: Basics and Defence

Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host/network compromise.

Continue reading: SQL Injection: Basics and Defence

XXE Cheatsheet – XML External Entity Injection

All the fun of the post on XML External Entities (XXE) but less wordy!

 

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
 <userInfo>
  <firstName>John</firstName>
  <lastName>&example;</lastName>
 </userInfo>

Continue reading: XXE Cheatsheet – XML External Entity Injection

XXE: XML eXternal Entity Injection vulnerabilities

Here’s a quick write-up on XXE, starting with how to detect the vulnerability and moving on to how to fix it! XXE is a vulnerability in the way that XML parses handle user input and if an attacker is able to enter arbitrary or crafted data into an XML parser they may be able to inject entities and this could leave to file disclosure, denial-of-service attacks or in rare cases – code execution!

Continue reading: XXE: XML eXternal Entity Injection vulnerabilities