📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • Injection
  • Source attribution

Was this helpful?

  1. Injection attacks

Injection attacks

PreviousFIDO2 and WebAuthnNextSQL Injection

Last updated 3 years ago

Was this helpful?

Injection

Injection attacks are very prevalent, particularly in legacy code. They allow attackers to supply untrusted data to an application, which gets processed as part of a command or query and may alter the foreseen execution flow of that application. There are many variants:

In this course we will cover SQL injection and command injection briefly. The focus will be put on cross-site scripting or XSS, since that is a vulnerability that is still widespread in modern web applications today.

Source attribution

Some parts of this page are based on , which is licensed under .

SQL injection
LDAP injection
NoSQL injection
OS command injection
XML parser injection
SMTP header injection
expression language injection
HTML injection
Script injection (XSS)
OWASP A1 Injection
FLOSS