Learn about how attackers send simple text-based attacks that exploit the syntax of the targeted interpreter.
- [Instructor] Let's go ahead and dive right in. The first item in the OWASP top 10 is called injection. There are many different kinds of injection attacks including SQL injection, command injection, and LDAP injection. I'm going to talk about injection in general terms to help you understand conceptually how this type of attack works. In order to understand how injection works, first you need to understand a very fundamental concept about computer science.
Programs and applications are written in code, and the same code is used to describe both data and commands. This is really cool because it means that code can be very powerful. But it can also result in applications being used in ways that were not originally intended. At a very high level, here is how web applications and other computer programs work. A developer writes static code, which is then sent to an interpreter.
The interpreter, you guessed it, interprets the code into a program, which is then executed. Because of the nature of both data and commands being represented as code, it's up to the interpreter to figure out which pieces of code are data, and which pieces of code are commands. Let's take a closer look at this idea. Say you have a piece of code and its intended use is to specify a command and some data. The data, of course, is specified by code.
Because code can specify either data or a command, imagine that the code which is intended to specify data, is instead replaced by code that actually specifies a command. This is fundamentally what is happening in any sort of injection-based attack. Code which was intended as data in instead specified as a command, resulting in the application behaving in a way that was not originally intended.
In this scenario, an important security principle is being violated. It's the concept of access control, which basically says that each role or user should have specific access to certain systems, functions, and data. In this case, a web application is supposed to control the commands, and the user is supposed to provide the data. But in an injection attack, instead of specifying data, the user is able to specify a command.
This means that for applications which are vulnerable to injection attacks, hackers can in fact direct the system to perform an action which could lead to data exposure, loss of data integrity, and even data deletion.