Chapter 19 Key Takeaways: Injection Attacks

Core Concepts

  1. All injection shares one root cause: User-supplied data is treated as interpreter code. Whether the interpreter is a SQL engine, a shell, an LDAP server, or a template engine, the vulnerability arises from the same failure to separate data from commands.

  2. SQL injection exists on a spectrum: From simple UNION-based extraction (full data visibility) to blind boolean-based (true/false questions) to time-based (response delay measurement) to out-of-band (DNS/HTTP exfiltration). The technique you use depends on what the application reveals.

  3. NoSQL does not mean no injection. MongoDB and other document databases have their own injection vectors. Operator injection ($ne`, `$gt, $regex) can bypass authentication and extract data. Always validate input types, not just values.

  4. Command injection is immediately catastrophic. Unlike SQL injection, which targets data, command injection grants arbitrary OS command execution. The attacker moves from web application compromise to full server compromise in a single step. Never pass user input to shell commands.

  5. Parameterized queries are the definitive defense against SQL injection. Not input validation alone, not WAFs, not denylisting---parameterized queries structurally prevent the interpreter from treating data as code. Every database interaction should use them without exception.

  6. Automated tools amplify human testing. sqlmap and Commix automate the tedious parts of injection testing (column counting, blind extraction, WAF bypass), but they must be used responsibly and guided by manual understanding.

Practical Skills Acquired

  • Performing UNION-based SQL injection to extract arbitrary database data
  • Conducting boolean-based and time-based blind SQL injection for data extraction
  • Exploiting NoSQL injection in MongoDB using operator injection
  • Identifying and exploiting OS command injection in web applications
  • Detecting SSTI and escalating to remote code execution
  • Using sqlmap effectively with appropriate levels and techniques
  • Implementing comprehensive injection defenses across multiple interpreter types

Defense Hierarchy (Most to Least Effective)

  1. Parameterized queries / Safe APIs (structural prevention)
  2. Input validation via allowlisting (reduces attack surface)
  3. Least privilege (limits impact of successful injection)
  4. Web application firewall (catches common patterns)
  5. Monitoring and alerting (detects exploitation in progress)
  6. Input denylisting (fragile, easily bypassed---last resort)

Connections to Other Chapters

  • Chapter 18: HTTP request manipulation via Burp Suite Repeater is the primary method for injection testing. All reconnaissance techniques identify injection points.
  • Chapter 20: XSS (covered next) is conceptually related---it is "injection into the browser." The defense principles (validation, encoding) are analogous.
  • Post-exploitation chapters: Successful command injection via SQLi or OS injection often leads directly to the post-exploitation techniques covered in later chapters (privilege escalation, lateral movement, persistence).