Injection Attack

Injection is a type of security Vulnerability where an attacker sends untrusted data to a programme or web application, tricking it into executing unintended commands or accessing unauthorised data.

Injection vulnerabilities occur when an application allows user input to be interpreted as code or commands. Common types of injection include SQL, NoSQL, OS command, and LDAP injection, among others.

Injection Attacks are dangerous because they can allow attackers to access sensitive data, modify or delete data, or take control of the underlying system. It’s one of the top security risks identified by OWASP.

Injection works by submitting malicious input into a vulnerable system, such as a web form or URL. When the input is processed, it’s executed as part of a command or query rather than being treated as mere data.

A classic example of SQL Injection is entering `'; DROP TABLE users;--` into a login form, which could cause the system to delete the entire user database if the input is not properly sanitised.

The main issue with injection vulnerabilities is improper handling of user input. Applications should always sanitise and validate inputs, use parameterised queries, and avoid directly incorporating untrusted data into commands.