DANISH INAMDAR, profile picture
Uploaded byDANISH INAMDAR
PPTX, PDF876 views

Injection flaws

Injection flaws are security vulnerabilities that allow attackers to exploit user input to execute malicious code within a web application. Different types of injection flaws include SQL, command, HTML, LDAP, XML, and IMAP/SMTP injections, each targeting specific subsystems of the application. Protecting against these vulnerabilities requires secure coding practices, use of secure APIs, and the implementation of Runtime Application Self Protection (RASP) measures.

Presentations & Public Speaking
Related topics:
Web Application Security
In this document
Powered by AI

Explains injection flaws as security vulnerabilities that allow malicious code to compromise applications.

Identifies signs of vulnerability such as unchecked user input and dynamic queries leading to security risks.

Lists various injection flaws including SQL, Command, HTML, LDAP, XML, and IMAP/SMTP injections.

Discusses SQL injection, allowing direct database access, issuing CRUD statements through dynamic scripts.

Describes command injection vulnerabilities where web applications can execute operating system commands.

Explains HTML injections which can include malicious tags, enabling phishing attacks and XSS risks.

Describes XML injection risks in web apps, particularly when converting parameters to XML for backend services.

Explains LDAP injection affecting directory access protocols, which may expose confidential user data.

Discusses IMAP/SMTP injection threats targeting webmail applications that fail to sanitize input properly.

Analyzes the current state of web framework security, highlighting pitfalls with CSRF tokens and ORM use.

Outlines the limitations of Web Application Firewalls, which often rely on blacklists rather than detecting vulnerabilities.

Introduces Runtime Application Self Protection, which detects and prevents attacks with minimal performance impact.

Explores RASP by API instrumentation, focusing on methods like monkey patching and token generation for added security.

Describes the challenges in implementing RASP, including performance impact and the need for easy deployment.

Wraps up the presentation, providing closing remarks on injection flaws and security measures.

Embed presentation

Downloaded 24 times
INJECTION FLAWS DANISH INAMDAR Security Researcher
What are Injection Flaws??  Injection flaws are a class of security vulnerability that allows a user to “break out” of the web application context.  Weakness in an application whereby foreign input subverts the otherwise legitimate use of a subsystem.  Injection flaws allow attackers to relay malicious code through an application to another system
Is Your Web App Vulnerable to Injection?  User Supplied data is not validated , filtered or sanitized by Application.  Hostile data is supplied directly to dynamic queries or non parameterized calls for the interpreter without context-aware escaping.  Hostile data is used with ORM search parameters such that search evaluates out to include sensitive or all records.
Different types of Injection flaws Different subsystems == Different flaws  SQL Injection  Command Injection  HTML Injection  LDAP Injection  XML Injection  IMAP/SMTP Injection
SQL Injection: Database Query  Dynamic script to look into database  “Direct” access to database  Possible to issue CRUD statements and many more….
SQL Injection : Query database
Command Injection  Web application performs operating system tasks  Execute external programs/script  List files etc. ping –c <user_input> Protection using Command Execution API os.system(ping –c 127.0.0.1)
HTML Injection  Possible to include HTML Tags like iframe , fake forms, XSS also possible….  Can be used in phishing attacks
XML Injection  Web App talks to backend web services  Web app’s logic converts parameter’s to XML web services (as SOAP,…)
XML Injection
LDAP Injection  Lightweight Directory Access protocol  It is used to access information directories like users, user information, software, computers.
LDAP Injection  Insert Special characters like(*,|,&,…) leading to exposure of user’s confidential data
IMAP/SMTP Injection  This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications.  We need to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
State of Web framework Security  Anti CSRF tokens – can easily turned off/miss-configurations  Templates escapes user input – just HTML escape ->XSS  Uses ORM – SQLi still possible https://rails-sqli.org/  We need to use secure APIs or write secure code
Can WAF solve the problem?  Web Application Firewalls are for Attack Detection and Prevention  Most of WAFs use blacklists. No vulnerability detection.
Protect Exploitation : RASP Runtime Application Self Protection • Detect both Attacks and Vulnerability • No Hardware Requirements • Inject Security at Runtime • Applies defense inside the application • Zero code Modification and Easy Integration • No use of Blacklists
RASP by API Instrumentation and Dynamic White-list  Monkey Patching  Lexical Analysis and Token Generation  Context Determination
Challenges  Ideal RASP should have minimum performance impact.  Need to do adapt more secure techniques in combination with RASP.  Minimal configuration and Easy Deployment.  Implementing Preventing measures to avoid session Hijacking, Credentials etc.
Thank You

More Related Content

PPTX
Proxy Presentation
byprimeteacher32
 
PPTX
Dom based xss
byLê Giáp
 
PPTX
Xss attack
byManjushree Mashal
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
PPTX
Access Control List (ACL)
byISMT College
 
PPTX
Web api
bySudhakar Sharma
 
PDF
REST API and CRUD
byPrem Sanil
 
PPTX
REST & RESTful Web Services
byHalil Burak Cetinkaya
 
Proxy Presentation
byprimeteacher32
 
Dom based xss
byLê Giáp
 
Xss attack
byManjushree Mashal
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
Access Control List (ACL)
byISMT College
 
Web api
bySudhakar Sharma
 
REST API and CRUD
byPrem Sanil
 
REST & RESTful Web Services
byHalil Burak Cetinkaya
 

What's hot

PDF
Web Application Security 101
byCybersecurity Education and Research Centre
 
PDF
Web Application Penetration Testing
byPriyanka Aash
 
PPTX
Sql injection
byNuruzzaman Milon
 
PPTX
Sql injection in cybersecurity
bySanad Bhowmik
 
PPTX
Network Security
bymoviebro1
 
PDF
F5 DDoS Protection
byMarketingArrowECS_CZ
 
PPTX
WLAN Attacks and Protection
byChandrak Trivedi
 
PPTX
REST API Design & Development
byAshok Pundit
 
PPTX
Sqlmap
byInstitute of Information Security (IIS)
 
PPTX
OAuth2 + API Security
byAmila Paranawithana
 
PPTX
Publish Subscribe pattern - Design Patterns
byRutvik Bapat
 
PPTX
An Introduction To REST API
byAniruddh Bhilvare
 
PPTX
WEP/WPA attacks
byHuda Seyam
 
PPTX
Wireless Network Security
bykentquirk
 
PPTX
REST-API introduction for developers
byPatrick Savalle
 
PPTX
REST API
byTofazzal Ahmed
 
PPTX
DNS spoofing/poisoning Attack
byFatima Qayyum
 
PPTX
NMap
byPritesh Raka
 
PPT
Java Servlets
byBG Java EE Course
 
PPTX
Http protocol
byArpita Naik
 
Web Application Security 101
byCybersecurity Education and Research Centre
 
Web Application Penetration Testing
byPriyanka Aash
 
Sql injection
byNuruzzaman Milon
 
Sql injection in cybersecurity
bySanad Bhowmik
 
Network Security
bymoviebro1
 
F5 DDoS Protection
byMarketingArrowECS_CZ
 
WLAN Attacks and Protection
byChandrak Trivedi
 
REST API Design & Development
byAshok Pundit
 
Sqlmap
byInstitute of Information Security (IIS)
 
OAuth2 + API Security
byAmila Paranawithana
 
Publish Subscribe pattern - Design Patterns
byRutvik Bapat
 
An Introduction To REST API
byAniruddh Bhilvare
 
WEP/WPA attacks
byHuda Seyam
 
Wireless Network Security
bykentquirk
 
REST-API introduction for developers
byPatrick Savalle
 
REST API
byTofazzal Ahmed
 
DNS spoofing/poisoning Attack
byFatima Qayyum
 
NMap
byPritesh Raka
 
Java Servlets
byBG Java EE Course
 
Http protocol
byArpita Naik
 

Similar to Injection flaws

PPT
Web Application Security
byAbdul Wahid
 
PPT
Secure code practices
byHina Rawal
 
PPT
OWASP Top 10 And Insecure Software Root Causes
byMarco Morana
 
PDF
OWASP Top 10 Project
byMuhammad Shehata
 
PDF
Web vulnerabilities
byKrishna Gehlot
 
PDF
Owasp Top 10
byGaurav Narwani
 
PPTX
CyberSecurityppt. pptx
byiamayesha2526
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
PPTX
Owasp Top 10 2017
bySamsonMuoki
 
PDF
Owasp Top 10-2013
byn|u - The Open Security Community
 
DOCX
supraja technologies material for secure coding
bySri Latha
 
PDF
Owasp top 10_openwest_2019
bySean Jackson
 
DOCX
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
byAjith Kp
 
PDF
Owasp top 10 vulnerabilities 2013
byVishrut Sharma
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
PDF
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
DOC
Attackers Vs Programmers
byrobin_bene
 
PDF
Owasp top 10 2013
byEdouard de Lansalut
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 
Web Application Security
byAbdul Wahid
 
Secure code practices
byHina Rawal
 
OWASP Top 10 And Insecure Software Root Causes
byMarco Morana
 
OWASP Top 10 Project
byMuhammad Shehata
 
Web vulnerabilities
byKrishna Gehlot
 
Owasp Top 10
byGaurav Narwani
 
CyberSecurityppt. pptx
byiamayesha2526
 
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
Owasp Top 10 2017
bySamsonMuoki
 
Owasp Top 10-2013
byn|u - The Open Security Community
 
supraja technologies material for secure coding
bySri Latha
 
Owasp top 10_openwest_2019
bySean Jackson
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
byAjith Kp
 
Owasp top 10 vulnerabilities 2013
byVishrut Sharma
 
Owasp top 10 2017
byibrahimumer2
 
Web Application Testing for Today’s Biggest and Emerging Threats
byAlan Kan
 
Injecting Security into Web apps at Runtime Whitepaper
byAjin Abraham
 
Attackers Vs Programmers
byrobin_bene
 
Owasp top 10 2013
byEdouard de Lansalut
 
Presentation on Top 10 Vulnerabilities in Web Application
byMd Mahfuzur Rahman
 

Recently uploaded

PDF
Digital Finance Summit 2025 - Lauren, Sylvain and Florence (Approach Cyber)
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Thomas Vissers
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Beep by Maria Vittoria Dalla Rosa Prati
byFinTech Belgium
 
PDF
OSMC 2025: Current State of Icinga by Bernd Erk.pdf
byNETWAYS
 
PDF
Digital Finance Summit 2025 - Joris Germonpré
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Marko Koić
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Kris Boudt and Ann Marcelle
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Inna Kostiuk and Pavlo Denysiuk
byFinTech Belgium
 
PPTX
How to Create a Timeline in PowerPoint|Step-by-Step Guide
byzhiqiangjiang1
 
PPTX
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
PPT
Fast approximate minimum spanning tree based clustering algorithm
byMd. Shakil Hossain
 
PPTX
Digital Marketing for a mnc company.pptx
bybcabcu20222025
 
DOCX
The Benefits of Using Old Gmail Accounts for Quick Verification.docx
bysmmtrust service
 
PPTX
How to Insert Notes in PowerPoint (Step-by-Step Guide 2025)
byTeresa Garcia
 
PPTX
Life skill habit-3 put first thing first -N (1).pptx
byssuser4f8a7e1
 
PDF
Finale Group Project UW- Uyghur Muslims.pdf
bykarlas39
 
PPTX
2025-12-07 Moses 10 (shared slides).pptx
byDale Wells
 
PPTX
Bob Stewart Unexpected Arrival 12 07 2025.pptx
byFamilyWorshipCenterD
 
Digital Finance Summit 2025 - Lauren, Sylvain and Florence (Approach Cyber)
byFinTech Belgium
 
Digital Finance Summit 2025 - Thomas Vissers
byFinTech Belgium
 
Digital Finance Summit 2025 - Beep by Maria Vittoria Dalla Rosa Prati
byFinTech Belgium
 
OSMC 2025: Current State of Icinga by Bernd Erk.pdf
byNETWAYS
 
Digital Finance Summit 2025 - Joris Germonpré
byFinTech Belgium
 
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
Digital Finance Summit 2025 - Marko Koić
byFinTech Belgium
 
Digital Finance Summit 2025 - Kris Boudt and Ann Marcelle
byFinTech Belgium
 
Digital Finance Summit 2025 - Inna Kostiuk and Pavlo Denysiuk
byFinTech Belgium
 
How to Create a Timeline in PowerPoint|Step-by-Step Guide
byzhiqiangjiang1
 
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
Fast approximate minimum spanning tree based clustering algorithm
byMd. Shakil Hossain
 
Digital Marketing for a mnc company.pptx
bybcabcu20222025
 
The Benefits of Using Old Gmail Accounts for Quick Verification.docx
bysmmtrust service
 
How to Insert Notes in PowerPoint (Step-by-Step Guide 2025)
byTeresa Garcia
 
Life skill habit-3 put first thing first -N (1).pptx
byssuser4f8a7e1
 
Finale Group Project UW- Uyghur Muslims.pdf
bykarlas39
 
2025-12-07 Moses 10 (shared slides).pptx
byDale Wells
 
Bob Stewart Unexpected Arrival 12 07 2025.pptx
byFamilyWorshipCenterD
 

Injection flaws

  • 1.
  • 2.
    What are InjectionFlaws??  Injection flaws are a class of security vulnerability that allows a user to “break out” of the web application context.  Weakness in an application whereby foreign input subverts the otherwise legitimate use of a subsystem.  Injection flaws allow attackers to relay malicious code through an application to another system
  • 3.
    Is Your WebApp Vulnerable to Injection?  User Supplied data is not validated , filtered or sanitized by Application.  Hostile data is supplied directly to dynamic queries or non parameterized calls for the interpreter without context-aware escaping.  Hostile data is used with ORM search parameters such that search evaluates out to include sensitive or all records.
  • 4.
    Different types ofInjection flaws Different subsystems == Different flaws  SQL Injection  Command Injection  HTML Injection  LDAP Injection  XML Injection  IMAP/SMTP Injection
  • 5.
    SQL Injection: DatabaseQuery  Dynamic script to look into database  “Direct” access to database  Possible to issue CRUD statements and many more….
  • 6.
    SQL Injection :Query database
  • 7.
    Command Injection  Webapplication performs operating system tasks  Execute external programs/script  List files etc. ping –c <user_input> Protection using Command Execution API os.system(ping –c 127.0.0.1)
  • 8.
    HTML Injection  Possibleto include HTML Tags like iframe , fake forms, XSS also possible….  Can be used in phishing attacks
  • 9.
    XML Injection  WebApp talks to backend web services  Web app’s logic converts parameter’s to XML web services (as SOAP,…)
  • 10.
  • 11.
    LDAP Injection  LightweightDirectory Access protocol  It is used to access information directories like users, user information, software, computers.
  • 12.
    LDAP Injection  InsertSpecial characters like(*,|,&,…) leading to exposure of user’s confidential data
  • 13.
    IMAP/SMTP Injection  Thisthreat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications.  We need to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
  • 14.
    State of Webframework Security  Anti CSRF tokens – can easily turned off/miss-configurations  Templates escapes user input – just HTML escape ->XSS  Uses ORM – SQLi still possible https://rails-sqli.org/  We need to use secure APIs or write secure code
  • 15.
    Can WAF solvethe problem?  Web Application Firewalls are for Attack Detection and Prevention  Most of WAFs use blacklists. No vulnerability detection.
  • 16.
    Protect Exploitation :RASP Runtime Application Self Protection • Detect both Attacks and Vulnerability • No Hardware Requirements • Inject Security at Runtime • Applies defense inside the application • Zero code Modification and Easy Integration • No use of Blacklists
  • 17.
    RASP by APIInstrumentation and Dynamic White-list  Monkey Patching  Lexical Analysis and Token Generation  Context Determination
  • 21.
    Challenges  Ideal RASPshould have minimum performance impact.  Need to do adapt more secure techniques in combination with RASP.  Minimal configuration and Easy Deployment.  Implementing Preventing measures to avoid session Hijacking, Credentials etc.
  • 22.