SQL Injection ~(SQLi) Injection
Injects SQL commands that can read or modify data from a database. Advanced variations of this attack can be used to write arbitrary files to the server and even execute OS commands which may lead to full system compromise.
POTENTIAL IMPACT: Authentication bypass, Information disclosure, Data loss, Data theft, Loss of data integrity, Denial of service, Full system compromise.
Code Injection ~CI Attacks
Injects application code which can execute operating system commands as the user running the web application. Advanced attacks can make use of privilege escalation vulnerabilities to gain even higher privileges if necessary, which may lead to full system compromise.
POTENTIAL IMPACT: Full system compromise
CRLF Injection
Injects an unexpected CRLF (Carriage Return and Line Feed) character sequence used to split an HTTP response header and write arbitrary contents to the response body, including Cross-site Scripting (XSS).
POTENTIAL IMPACT: Cross-site Scripting (XSS)
Cross-site Scripting ~ (XSS)
Injects arbitrary JavaScript into a legitimate website or web application which is then executed inside a victim’s browser.
POTENTIAL IMPACT: Account impersonation, Defacement, Run arbitrary JavaScript in the victim’s browser
Email ~(Mail command/SMTP) Injection
Injects IMAP/SMTP statements to an email server that is not directly available via a web application.
POTENTIAL IMPACT: Spam relay, Information disclosure
Host Header Injection
Abuses the implicit trust of the HTTP Host Header to poison password-reset functionality and poison web caches.
POTENTIAL IMPACT: Password-reset poisoning, Cache poisoning
Lightweight Directory Access Protocol ~(LDAP) Injection
Injects LDAP (Lightweight Directory Access Protocol) statements to execute arbitrary LDAP commands including granting permissions and modifying the contents of an LDAP tree.
POTENTIAL IMPACT: Authentication bypass, Privilege escalation, Information disclosure
OS Command Injection
Injects operating system commands as the user running the web application. Advanced variations of this attack can leverage privilege escalation vulnerabilities which may lead to full system compromise.
POTENTIAL IMPACT: Full system compromise
XPath Injection
Inject data into an application to execute crafted XPath queries which can be used to access unauthorized data and bypass authentication.
POTENTIAL IMPACT: Information disclosure, Authentication bypass