Web Application Injection Attack Types Guide

Online attacks have evolved since the internet’s earliest days. Back then, brute force was a go-to solution for bots or individuals with the time to try countless login combinations before they stumbled upon the right ones to enter an application.

However, such brutish attacks pose no issue to users today, due to the proliferation of complex password policies, captchas, etc. Still, cybercriminals still work hard to identify system vulnerabilities and exploit them via new attack types.

This is how injection attacks emerged not so long ago: hackers found that text fields on website pages or applications could be tricked by typing (or “injecting”) unexpected data into them. This would lead the application to take an action it wasn’t meant to.

These injection attack techniques can be employed to enter an application without key access details, and to release personal data. Hackers may even use injection attacks to hijack servers for their own nefarious goals.

That’s why injection attacks pose a threat to applications and those users whose information is contained within. Other connected services or applications could be at risk, too.

In this post, we explore the nine most popular types of injections to help you stay vigilant.

Types of injection attacks

Code injection

A code injection is one of the most popular types of injection attack endangering businesses’ and users’ data. Any hackers which know a web application’s framework, programming language, OS, or database can enter a malicious code into available fields. This enables them to make the webserver behave as they’d like it to.

Code injections tend to be viable on applications with no validation for data entered into a text field. If it allows users to put any information they like into a field, the application can be exploited. That’s why applications have to control what details users can submit as much as possible.

Such tactics may involve limiting the characters accepted or checking the format in which data is entered. Vulnerability to code injection can be simple to identify by inputting different forms of content into a text field. If a hacker is able to exploit a weakness in the code, they may compromise the application’s performance, data confidentiality, and more.

SQL injection

Attackers perform SQL injections by putting an SQL script into a text field, which is passed on to the application and executed. This means attackers can get through entry screens and even gain access to confidential data from an application’s database. They might be able to conduct administrative tasks and change or destroy information.

Applications based on ASP or PHP tend to be at risk of SQL injections because their interfaces are less sophisticated than more updated alternatives (such as ASP.Net or J2EE builds). Attackers can wreak major havoc on applications when they find SQL injection opportunities.

Command injection

Hackers can take advantage of weak validation on input data for command injections, which are different from code injections because the attacker uses system commands rather than scripts or code.

This means that the cybercriminal responsible has no requirement to understand the application’s programming language or that of the database itself. However, hackers do have to be familiar with the hosting server’s OS to be successful.

Any commands inserted will be executed by the OS. As a result, attackers can expose various forms of data, adjust passwords to leave users locked out, and more. However, companies can prevent such attacks with a sysadmin, tweaking the access level for applications running on their server.

Cross-site scripting

Any application which inserts user input in its output without encoding or validating it first creates a chance for a hacker to distribute malicious code to a different user — a move known as cross-site scripting.

Otherwise known as XSS attacks, these involve seizing opportunities to inject harmful scripts into websites which have trust and ultimately sending them to an application’s different users.

For those on the receiving end, their browser will go on to execute the harmful script. Both the user and the browser will have no idea that the script is dangerous. All cookies, sensitive data, and more can be accessed. HTML files may even be targeted, with malicious scripts potentially rewriting some of their content before the user realizes anything’s wrong.

Typically, cross-site scripting attacks can be considered “stored” or “reflected”. In the former, a harmful script lurks on a permanent basis, whether in a server, forum, database, etc., until the browser processes a request for the data stored.

In the latter type, harmful scripts are reflected in responses which include input transmitted to the target server, in the form of a search result or warning message.

XPath injection

Hackers can employ this type of cybersecurity attack when an application utilizes a user’s information to create an XPath query for XML data. These function in a similar manner to the SQL injections covered above — an attacker will distribute corrupted data to an application to identify the way in which its XML data is built. They use a subsequent attack to access the XML data.

As with SQL, XPath is a language in which attackers can specify which attributes they wish to find. Applications utilize a user’s input to create a pattern which the data is supposed to match, and turn this into a process which the hacker aims to apply to the relevant data.

However, unlike SQL, XPath injections can be used on applications relying on XML, no matter how it’s implemented. As a result, hackers can use automated attacks and work towards any number of goals.

Mail command injection

Cybercriminals may choose to leverage this form of attack to take advantage of email applications or servers which build SMTP or IMAP statements with user input which has not been validated effectively.

This is because both types of servers often lack adequate defenses against hackers, and by gaining access to systems via email servers, attackers can avoid security measures (captchas, for example).

So, how do attackers exploit SMTP servers for their own gain? They require a working email account to distribute messages containing injected commands. Vulnerable servers tend to respond to these requests and allow them to override restrictions. Hackers can use it to bombard recipients with spam, further expanding their reach.

With IMAP injection, attackers can exploit applications’ message-read capabilities. All they have to do is submit a URL with relevant injected commands into a web browser’s bar.

CRLF injection

This occurs when an attacker inserts a carriage return and line feed characters (CRLF) in fields on website forms. Those characters (which are invisible) show command or line ends in most standard protocols, including NNTP and HTTP.

As an example, inserting a CRLF and some specific HTML code into an HTTP request could lead a website’s visitors to see custom pages. Attackers can target vulnerable applications which fail to filter user input effectively. This opens a site up to other injection attacks (code injections, XSS) and may lead to it becoming hijacked.

Host header injection

Host headers are essential for servers which host a large number of applications or websites, to identify which of them should process requests coming in. A header’s value informs the server which of the sites or applications should receive the request.

When an invalid host header goes to a server, this is typically sent to the first application or website on the list. This creates a weakness which attackers can leverage to send host headers and manipulate systems.

This is most common with PHP applications, but it can be performed with a variety of web development technologies too. Host header attacks open the door for other attack types, including web-cache poisoning, and could cause negative effects like resetting passwords.

LDAP injection

Finally, let’s talk about LDAP injection.

This is a protocol built to enable resource searching within a network, such as browsing files, devices, etc. Intranets, for example, benefit from this. When applied as a component in a single sign-on system, LDAP injection facilitates the storage of individual passwords and usernames.

An LDAP query involves using specific characters to affect its control, and hackers can transform a query’s behavior by adding their own characters. This is down to ineffective validated user input: if a user enters text into an application before it’s been sanitized, the resulting query may bring up a user list for an attacker to see.

All they’d have to do is place an asterisk in a particular place within an input string.

How to defend against popular types of injections

Injection attacks are targeted at applications and servers with open access to online users, and so application developers and server admins must take responsibility for taking preventative measures.

Developers must recognize dangers related to ineffective user input validation and the best ways to sanitize input to prevent risks. Server admins have to conduct regular audits to pinpoint weaknesses and address them.

DDos Attack Types Guide

DDoS (Distributed Denial of Service) attacks are a common danger for businesses in the digital age, but how do they work?

A DDoS attack is a cybersecurity attack designed to restrict access to an internet service, rendering targeted platforms, websites, or tools useless. Malicious attackers may achieve this by triggering a temporary interruption or suspension of the hosting server’s services, with wide-ranging impacts.

DDoS attacks are typically launched from multiple devices which have been compromised by the hackers. These tend to have global distribution, as part of what is generally known as a “botnet”. This is different to other denial of service (DoS) attack types, which depend on just one device connected to the internet to send a flood of overwhelming traffic to the targeted website, network, etc. There are three types of DDoS attacks:

Application layer attacks

This type of attack is intended to crash a victim’s web server using requests which appear legitimate and non-malicious. It includes GET/POST, low and slow attacks, and more forms of disruption.

Volume-based attacks

With a volume-based attack, hackers aim to saturate a target website’s bandwidth through ICMP (or Ping) or UDP floods.

Protocol attacks

A protocol attack puts strain on resources (servers, firewalls, load balancers) through fragmented packets, Smurf DDoS, and other attacks.

DDoS types which commonly target businesses

Below, we explore some of the types of DDoS attacks that pose a risk to companies in different sectors.

ICMP flood

An ICMP (or Ping) flood is made to overwhelm a targeted resource with ICMP Echo Request packets. Essentially, unlike other DDoS types, this one sends a high number of packets as quickly as possible — but without taking time to wait for any replies.

As a result, ICMP flood attacks may consume a business’s incoming and outgoing bandwidth as servers will try to use ICMP Echo Reply packets to reply. This can ultimately cause major slowdown in systems.

UDP (User Datagram Protocol) flood

Essentially, a UDP flood is a DDoS attack which causes a storm of UDP packets with an intent to cause floods in a remote host’s ports randomly.

Such an attack can cause hosts to continually search for application listening in certain ports. When applications aren’t located, the host will reply with an ICMP “destination unreachable” packet — which consumes resources and potentially causes inaccessibility.

SYN flood

This DDoS attack type is unleashed to take advantage of a vulnerability in the TCP connect sequence, in which a SYN request to trigger a TCP connection to the target host needs to be responded to with a SYN-ACK reply. It is then to be confirmed by the requester’s ACK response.

In this DDoS attack type, a requester would launch a number of SYN requests but doesn’t respond to the SYN-ACK response or triggers the requests from a spoofed address. In any case, the host system is left waiting for each request’s acknowledgement — leaving resources bound until no fresh connections can be initiated. This leads to a denial of service.

Slowloris

A Slowloris is an attack designed to help one web server bring another down without having an effect on other ports or services within the network targeted. How? By keeping as many of the target server’s connections open for as long as it can, by making connections to the server but sending just partial requests.

So, a Slowloris keeps sending HTTP headers without ever completing a request, and the server keeps all of them open. Eventually, this creates an overflow in the connection pool and causes denial of additional connections from innocent clients.

POD (Ping of Death)

The so-called ping of death is a DDoS attack type which involves sending several malicious pings to a target computer, giving recipient hosts oversized packets, which overflows those memory buffers which have been allocated for the received packet. This leads to denial of service for any packets which may be legitimate.

This works on the basis that an IP packet’s maximum length is 65,535 bytes, but Data Link Layers typically impose limits on a maximum frame size. In ping of death attacks, a massive packet becomes separated across more than one, causing the recipient host to reassemble it into the oversized packet.

HTTP flood

Attackers use HTTP floods to target an application or web server by taking advantage of HTTP GET or POST requests which may appear genuine.

This type of attack doesn’t involve malformed packets or spoofing, and puts less strain on bandwidth than other DDoS types. HTTP floods tend to be most impactful when forcing an application or server to allocate all of the resources available in response to all requests.

Zero day

Zero day types of DDos attacks refers to all new or unknown forms of threats, which depend on vulnerabilities for which patches are yet to be issued. Hackers usually exchange zero day opportunities regularly.

NTP amplification

Attackers use an NTP amplification to target Network Time Protocol servers and overwhelm them with UDP traffic. These DDoS attacks are described as “amplification”-based because of the query to response ratio.

This tends to be between 1:20 and 1:200 or higher, enabling attackers to achieve major disruptions if they have access to multiple open Network Time Protocols.

What causes hackers to launch DDoS attacks?

In a relatively short period, the types of DDoS attacks covered above have become the most common form of cybersecurity risk. Both their number and volume have grown in the past few years: while briefer attacks are the norm, they often involve a larger packet-per-second volume overall.

So, what drives the attackers?

Industry rivalries

Businesses may leverage some of these DDoS attack types to disrupt a competitor’s service or website, to improve their own market performance. For example, one online retailer may employ a DDoS attacker to bring a rival site down ahead of a crucial Black Friday or Cyber Monday sale event.

Divergent beliefs

Some hackers, referred to as “hacktivists”, launch DDoS attacks to disrupt businesses they may disagree with (in terms of workers’ rights, for example).

Cyber attacks on enemy nations

A government may authorize a DDoS attack to cause issues for other countries’ infrastructures or websites, for their own gain.

Extorting money

DDoS attacks may be initiated as a means to secure money from a business, such as through ransomware.

For thrills

Hackers could create and launch their own DDoS attacks to get a short-term rush, with no sympathy for the people they affect.

Container Orchestration – Everything You Need to Know

With container orchestration, users can deploy, manage, scale, and network containers automatically. This is a significant time-saver for companies and hosts depending on the efficient deployment and management of Linux containers.

Container orchestration can be utilized wherever and whenever teams need to employ containers. One benefit of container orchestration is that it allows for the deployment of a single application throughout multiple environments, without it having to be reworked.

Furthermore, container microservices make orchestrating such key aspects as networking, storage, and security simpler.

Containers offer any apps based on microservices a fantastic deployment unit and self-contained environment for executions. This enables teams to run several independent elements of an app in microservices on one piece of hardware, while enjoying better control over the individual components and lifecycles.

Managing containers’ lifecycles with orchestration helps DevOps teams to integrate it with CI/CD workflows. That’s why containerized microservices are fundamental for cloud-native applications, along with APIs (Application Programming Interfaces).

Why teams work with container orchestration

Teams can take advantage of container orchestration for the automation and management of:

  • Allocating resources
  • Scheduling and configuring
  • Finding available containers
  • Provisioning & deployment
  • Routing traffic and balancing loads
  • Scaling/taking out containers according to variable workloads
  • Tracking health of containers
  • Maintaining security between interactions
  • Configuration of applications based on the respective containers chosen to run them

As you can see, container orchestration has the power to streamline processes and save considerable time.

The right tools for container orchestration

Container orchestration tools offer a framework with which to manage any containers as well as microservices design at scale. Various container orchestration tools are available for management of container lifecycles, such as Docker Swarm, Kubernetes, and Apache Mesos.

In a discussion of Apache Moss vs Docker Swarm vs Kubernetes, the latter may be more popular.

Kubernetes was originally created and built by Google engineers, as an open source project. Google donated Kubernetes to its Cloud Native Computing Foundation back in 2015. This tool enables teams to make application services across several containers, as well as scheduling containers throughout a cluster, scaling said containers, and managing their individual health conditions down the line.

This tool does away with a lot of manual tasks required to deploy and scale containerized applications. You also have the flexibility to cluster host groups, virtual or physical machines, and run Linux containers. Helpfully, Kubernetes presents users with a platform for efficient, simple cluster management.

Furthermore, this tool helps teams to implement and depend on container-based infrastructure within production spaces. These clusters may be placed across multiple clouds, whether private, public, or hybrid. That’s why Kubernetes is such a terrific platform to host cloud-native apps which demand fast scaling.

Kubernetes helps manage workload portability and balancing loads through movement of applications with no need to redesign them at all.

The key elements of Kubernetes

Kubernetes consists of:

Kubelet

The Kubelet service is based on nodes, and analyzes container manifests to ensure relevant containers start running.

Cluster

A number of nodes, including one or more master nodes and multiple worker nodes.

Master

This is the machine responsible for controlling Kubernetes nodes, and all task assignments come from here.

Pod

This is a group of multiple containers all deployed to an individual node. These containers share an IPC, IP address, and host name (along with additional resources).

How container orchestration functions

Any teams which leverage container orchestration tools (including Kubernetes) will describe an application’s configuration through JSON or YAML files. A configuration file informs the container management tool where container images are located. It also specifies the network establishment process, and where logs should be place.

In the implementation of a new container, the container management tool will schedule the deployment to a designated cluster in an automated process. It will also locate the right host, and take the specific requirements or limitations into account. After this, the orchestration tool handles managing the container lifecycle according to the specifications determined within the compose file.

Teams can utilize Kubernetes patterns for management of container-based applications or services, across configuration, lifecycle, and scaling. A Kubernetes developer depends on these repetitive patterns to build a complete system.

Container orchestration may be leveraged in a setting which requires utilization of containers, such as for on-site servers or private/public cloud processes.