Input Validation and Injection Vulnerabilities

Input Validation and Injection Vulnerabilities

SQL injection remains prevalent despite decades of awareness, making systematic testing essential. Test every input parameter including GET/POST parameters, cookies, and headers. Use both error-based and blind techniques as applications increasingly suppress error messages. SQLMap automates detection and exploitation but understanding manual techniques proves essential when automation fails or is restricted.

Command injection vulnerabilities transform web applications into system shells. Beyond obvious parameters like IP addresses or filenames, test any input passed to system functions. Blind command injection requires out-of-band techniques like DNS lookups or time delays for confirmation. Command chaining through operators like ;, &&, ||, and ` enables complex payload execution. Post-exploitation through command injection often provides easier paths than traditional memory corruption exploits.

Local file inclusion (LFI) and remote file inclusion (RFI) vulnerabilities expose sensitive files or enable code execution. Test file parameters with directory traversal sequences, absolute paths, and wrapper protocols. PHP applications prove particularly vulnerable through wrappers like php://filter for source code reading or php://input for code execution. Log poisoning combined with LFI achieves code execution when direct methods fail.

XML external entity (XXE) injection affects applications processing XML data. Test for XXE in obvious locations like SOAP endpoints, but also in less obvious places like file uploads accepting Office documents or SVG images. XXE enables file reading, SSRF attacks, and potential code execution through expect:// or other protocols. Many developers remain unaware of XXE risks, making it valuable for OSCP scenarios.