📄️ SQL Injection (SQLi)
SQL Injection (SQLi) is a code injection technique that allows an attacker to interfere with the queries an application makes to its database. This enables them to view data they are not normally able to retrieve, alter sensitive information, execute administrative operations on the database, and in some cases, issue commands to the operating system. SQLi remains one of the most critical and widespread web vulnerabilities.
📄️ Command Injection
Command Injection (also known as OS Command Injection) is an attack where the attacker executes arbitrary operating system commands on the host server by injecting them into an application's input fields. This vulnerability arises when a web application passes unsanitized user-supplied data to a system shell, allowing attackers to manipulate the commands executed by the server. This can lead to full system compromise.
📄️ XML External Entity - XXE
XXE (XML External Entity) Injection is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It occurs when an XML parser processes external entity references within an XML input without proper security configurations. This can lead to the disclosure of confidential data, denial of service, server-side request forgery (SSRF), and even remote code execution (RCE) in some cases.
📄️ SSTI (Server-Side Template Injection)
Server-Side Template Injection (SSTI) is a vulnerability that occurs when an attacker can inject malicious template syntax into an application, which the server then processes and executes. This allows the attacker to execute arbitrary code, manipulate data, or gain full control over the server. SSTI arises when user-supplied input is directly embedded into a template without proper sanitization, and that template is subsequently rendered server-side.
📄️ LDAP Injection
LDAP (Lightweight Directory Access Protocol) Injection is a code injection technique that exploits applications that construct LDAP statements from user-supplied input without proper sanitization. Attackers can inject malicious LDAP queries to read, modify, or delete sensitive information stored in the LDAP directory, or even to bypass authentication, similar to SQL Injection.