Application Exploits, Part I
APPLICATION-BASED EXPLOITS
- Injection attack
- Inserting additional data into application beyond what is expected
- SQL (Structured Query Language)
- Adding specially crafted SQL input to extract/modify data or execute commands
- HTML
- Adding HTML code/submitting data to change how a page works or the data is handled
INJECTIONS, cont'd
- Command
- Adding command line options that change the way commands operate
- Code
- A generalization of SQL injection - adding code in any language to change a program's behavior
QUICK REVIEW
- Injection attacks provide specially crafted input to applications.
- Injection attacks depend on an application's failure to properly validate input data
- Results can include crashing a service or making it unresponsive
- Some injection attacks can provide privilege escalation