Recognizing Similar Injection Attacks

Previous page
Table of content
Next page

You might have noticed throughout this book that there is a common attack theme when user data is used as part of an applications logic. For example, Chapter 10 discusses HTML scripting attacks in which attacker-supplied data is able to inject script in an applications HTML. As a tester, you should think about how your application uses data and ways that malicious data can be injected. SQL injection is just another type of attack that is caused by mixing user data with application logic, and there are other similar examples. By no means are these the only technologies that are vulnerable to injection attacks:

  • XPath injection   XPath is a language that allows querying data from an XML document instead of a database.

    Chapter 11, XML Issues, discusses XPath injection. You can also read more about XPath injection at http://www.webappsec.org/projects/threat/classes/xpath_injection.shtml .

  • LDAP injection   Lightweight Directory Access Protocol (LDAP) is used for accessing information directories and provides a method of querying and modifying the data. Refer to http://www.spidynamics.com/whitepapers/LDAPinjection.pdf for more information about LDAP injection.


Previous page
Table of content
Next page
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors: Tom Gallagher, Lawrence Landauer, Bryan Jeffries
BUY ON AMAZON
Strategies for Information Technology Governance
VBScript Programmers Reference
C++ GUI Programming with Qt 3
Ruby Cookbook (Cookbooks (OReilly))
VBScript in a Nutshell, 2nd Edition
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy