Penetration Test

Application Exploits, Part I

APPLICATION-BASED EXPLOITS

• Injection attack
  • Inserting additional data into application beyond what is expected
  • SQL (Structured Query Language)
    • Adding specially crafted SQL input to extract/modify data or execute commands
  • HTML
    • Adding HTML code/submitting data to change how a page works or the data is handled

INJECTIONS, cont'd

• Command
  • Adding command line options that change the way commands operate
• Code
  • A generalization of SQL injection - adding code in any language to change a program's behavior

QUICK REVIEW

• Injection attacks provide specially crafted input to applications.
• Injection attacks depend on an application's failure to properly validate input data
• Results can include crashing a service or making it unresponsive
• Some injection attacks can provide privilege escalation