Scribd
Upload
11 views2 pages

Unit-6 Discussion Forum

Uploaded by

Thuta Tun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
11 views2 pages

Unit-6 Discussion Forum

Uploaded by

Thuta Tun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

1

Vulnerabilities that Allow the Attack

Injection vulnerabilities occur when untrusted data, such as user input, is used in

application commands without proper validation, filtering, or escaping. A common example

is SQL injection, where attackers manipulate dynamic queries to execute unintended actions

in the database (A03 Injection - OWASP Top 10:2021, n.d.). For instance, if an application

takes user input directly to form a SQL query without parameterization, attackers can modify

the input to perform malicious activities. This vulnerability exists because the application

fails to separate user data from the code it executes.

Purpose of the Attack

The main goal of injection attacks is to take control of an application’s database or server

by executing unauthorized commands. Attackers can retrieve, alter, or delete sensitive data,

disrupt operations, or even gain administrative access. A simple SQL injection, for instance,

could allow attackers to dump an entire database or change stored information (A03 Injection

- OWASP Top 10:2021, n.d.). In the worst-case scenario, the attack can lead to full system

compromise.

Countermeasures to Mitigate and Prevent the Attack

Preventing injection attacks involves ensuring that user-supplied data is kept separate

from commands or queries. The use of parameterized queries, stored procedures, and Object

Relational Mapping (ORM) tools are some effective strategies. Additionally, input validation

should be performed on the server-side to filter out any dangerous characters, though this

alone is not enough (A03 Injection - OWASP Top 10:2021, n.d.). Special care must be taken

in cases where applications accept inputs with special characters. Using SQL controls like
2

LIMIT can also restrict the scope of any potential attack by limiting the amount of data

returned.

Recent Example of the Attack

A significant SQL injection attack was reported between November and December 2023,

where a hacking group named ResumeLooters compromised over 65 websites and stole more

than two million email addresses and personal information. The hackers primarily used SQL

injection to extract sensitive data from databases, targeting retail and recruitment websites

across countries such as India, Taiwan, Thailand, and others. ResumeLooters sold the stolen

data on Chinese-speaking hacking groups, which included emails, phone numbers, and

employment history of job seekers. This attack, fueled by poor security practices, highlights

how easily accessible tools can cause extensive damage when proper countermeasures are not

in place (Arghire, 2024).

Word Count: 385

References:

Arghire, I. (2024, February 6). Millions of user records stolen from 65 websites via SQL

injection attacks. SecurityWeek. https://www.securityweek.com/millions-of-user-

records-stolen-from-65-websites-via-sql-injection-attacks/

A03 Injection - OWASP Top 10:2021. (n.d.). https://owasp.org/Top10/A03_2021-Injection/

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy