Code injection. Injection flaws occur when an application sends untrusted data to an interpreter.
Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.[1] Injection can result in data loss or corruption, lack of accountability, or denial of access. Vulnerability (computing) Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.[2] This practice generally refers to software vulnerabilities in computing systems.
Security bug (security defect) is a narrower concept: there are vulnerabilities that are not related to software: hardware, site, personnel vulnerabilities are examples of vulnerabilities that are not software security bugs. Constructs in programming languages that are difficult to use properly can be a large source of vulnerabilities. ISO 27005 defines vulnerability as:[3] SQL injection. A classification of SQL injection attacking vector as of 2010.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. In a 2012 study, it was observed that the average web application received 4 attack campaigns per month, and retailers received twice as many attacks as other industries.[2] History[edit]