Cyber Attacks Explained – Injection Attacks

How Attackers Turn User Input Into a Cyber Security Threat

Introduction

Modern applications rely heavily on user input – Every time you search for a product online, submit a login form, upload a file, or enter information into a website, data is being passed from you to an application.

Most of the time, this process works exactly as intended. However, problems arise when an application fails to properly distinguish between legitimate user input and executable commands. When this happens, attackers may be able to inject malicious instructions into the application and alter its behaviour.

These attacks are known as injection attacks, and they have been responsible for some of the most serious security breaches in history.

Injection vulnerabilities consistently appear among the most dangerous web application security risks because they can allow attackers to:

  • Access sensitive information
  • Bypass authentication
  • Modify or delete data
  • Execute system commands
  • Take control of servers
  • Compromise entire applications

What is an injection attack?

An injection attack occurs when an attacker supplies malicious, or malformed input to an application, causing that input to be interpreted as commands rather than simple data, sometimes leading to sensitive data exposure, unauthorised access to the system, or a system crash.

In simple terms – The application treats attacker-controlled input as instructions to execute.

The attacker “injects” code, commands, or queries into a system that was expecting ordinary user data, but instead processes the injected code as an instruction.

The consequences of an injection attack depend on what system receives the injected input.

Examples include:

  • Databases
  • Operating systems
  • Web applications
  • Directory services
  • APIs
  • XML processors

Understanding the core problem

Poorly designed software code may not properly distinguish between data and instructions

This inability to separate user input from executable commands is at the heart of injection vulnerabilities

Rather than say, a database storing user information, an attacker might be able to inject a database command to access all users data, or even edit or delete other users data

As an example, if a database were to retrieve information about a user based on some form of user supplied query, the command could look like this:

SELECT FirstName,Surname,DOB,PostCode FROM users WHERE ID = 1

In this instance, the database checks to see if the condition of the variable ID holds the number 1, if the answer is TRUE, then the requested data is returned, if the answer is FALSE, no data is returned

If an attacker were to be able to supply their own command, they might be able to extract any data from the system

E.G. 

SELECT * FROM users WHERE ID = (1=1); --

In this example, the attacker is not providing a value for the ID variable, they are supplying an equation that produces a TRUE output (1=1), thus forcing the answer to the overall statement to always be true. The use of the wildcard then tells the database to return all fields – possibly including stored password hashes, credit card data, etc.

Why injection attacks are dangerous

Injection attacks are particularly dangerous because they often allow attackers to interact directly with underlying systems.

Depending on the vulnerability, attackers may be able to:

  • Read sensitive information
  • Change database records
  • Delete critical data
  • Gain administrator privileges
  • Execute code on servers
  • Move laterally through networks

In severe cases, a single injection vulnerability can lead to a complete system compromise.

How injection attacks work

Although there are many types of injection attacks, they generally follow the same pattern.

Step 1: User Input Is Accepted

The application receives input from a user.

Examples:

  • Search boxes
  • Login forms
  • URL parameters
  • API requests

Step 2: Input Is Processed Unsafely

The application inserts the user input directly into a command or query.

Step 3: Malicious Input Is Supplied

The attacker submits specially crafted input.

Step 4: The System Executes the Input

Instead of treating the input as data, the system interprets it as commands.

Step 5: The Attacker Gains an Advantage

This may result in:

  • Data exposure
  • Privilege escalation
  • Remote code execution
  • System compromise

SQL Injection (SQLi)

SQL Injection is one of the most well-known forms of injection attacks. These attacks target databases that use Structured Query Language (SQL).

Most websites rely on databases to store information such as:

  • User accounts
  • Passwords
  • Customer records
  • Orders
  • Inventory

How SQL Injection Works

The application creates a database query using the supplied user input. If the application fails to validate input properly, an attacker may manipulate the query’s logic, so instead of providing normal credentials, the attacker supplies specially crafted data that changes how the database interprets the request.

The result may allow the attacker to:

  • Bypass login mechanisms
  • View database contents
  • Modify records
  • Delete information

In severe cases, attackers can gain complete control over the database.

Some SQL databases run with elevated privileges on the underlying host operating system, so if an attacker gains access via the database, they would have those elevated privileges on the operating system

Impact of SQL Injection

A successful SQL injection attack may allow attackers to access:

  • Customer information
  • Employee records
  • Financial data
  • Authentication credentials
  • Business-critical information
  • Underlying OS access

Many major data breaches have involved SQL injection vulnerabilities.

Command Injection

Command injection occurs when user input is passed directly to an operating system command. Instead of interacting only with the application, the attacker interacts with the underlying server.

How Command Injection Works

Some applications use operating system commands to perform tasks such as:

  • File management
  • System administration
  • Network diagnostics

If user input is inserted directly into these commands without proper validation, attackers may be able to execute their own commands.

Potential consequences include:

  • Viewing files
  • Modifying data
  • Creating accounts
  • Installing malware
  • Taking complete control of the server

LDAP Injection

LDAP is the Lightweight Directory Access Protocol and is used to create, manipulate, and query directory services such as Microsoft’s Active Directory

Many organisations use directory services for authentication and user management.

Examples include:

  • Corporate directories
  • User management systems
  • Single sign-on environments

How LDAP injection works

Many applications use LDAP queries to locate users or validate credentials. For example – Microsoft Outlook will use LDAP to query a persons email address to see if that person is currently logged in and available, or is offline.

If user input is inserted directly into these API queries, attackers may be able to manipulate how the directory responds.

Possible outcomes include:

  • Authentication bypass
  • Access to user information
  • Privilege escalation

XML Injection

eXtensible Markup Language (XML) is widely used to create markup languages for applications and services to allow for data exchange.

An XML injection attack occurs when malicious content is inserted into XML documents or queries.

Potential Consequences

Attackers may:

  • Alter application logic
  • Manipulate data processing
  • Trigger unexpected behaviour
  • Access sensitive information

XML-based attacks often affect enterprise applications and integrations.

XPath Injection

XPath is used to navigate XML documents. Applications that build XPath queries using unsanitised input may be vulnerable.

XPath injection is conceptually similar to SQL injection but targets XML data structures rather than relational databases.

Attackers may be able to:

  • Bypass authentication
  • Access sensitive records
  • Manipulate query results

Cross-Site Scripting (XSS)

Although often categorised separately, Cross-Site Scripting shares many characteristics with injection attacks.

In an XSS attack, malicious scripts are injected into web pages viewed by other users.

See the section on XSS for more information

NoSQL Injection

As modern applications increasingly adopt NoSQL databases (Not Only SQL), attackers have adapted their techniques.

NoSQL injection targets databases such as:

  • MongoDB
  • CouchDB
  • Cassandra

The underlying principle remains the same – User input alters the intended database query.

Consequences can include:

  • Authentication bypass
  • Data exposure
  • Data modification

Server-Side Template Injection (SSTI)

Many web applications use templates to generate dynamic content.

Examples include:

  • User dashboards
  • Reports
  • Web pages

If user input is incorporated into templates insecurely, attackers may inject template expressions.

Depending on the platform, SSTI vulnerabilities can lead to:

  • Data disclosure
  • Remote code execution
  • Complete server compromise

Header injection

Web applications rely on HTTP headers to exchange information.

When a browser requests data from a Web application, metadata is carried inside the request in various HTTP headers. When the web app receives the request, it not only processes the actual request, but also that of the metadata contained in the header. Header injection occurs when attackers manipulate these header values, knowing that the web app wil process them

Potential impacts include:

  • Cache poisoning
  • Redirect manipulation
  • Session attacks
  • Response splitting

Email injection

Applications often generate automated emails.

Examples include:

  • Contact forms
  • Password reset systems
  • Support requests

If user input is inserted directly into email headers, attackers may manipulate how those emails are generated.

Consequences may include:

  • Spam distribution
  • Email spoofing
  • Abuse of organisational email systems

Why injection attacks continue to succeed

Despite being well understood, injection vulnerabilities remain common.

Several factors contribute to this.

  • Poor input validation – Applications trust user input too readily.
  • Legacy systems – Older applications may use insecure coding practices.
  • Rapid development – Security may be overlooked during development.
  • Complex integrations – Modern systems often involve multiple technologies interacting with one another.

All of which increases the likelihood of mistakes being made, which opens the door for injection attacks

Real-World Impact of Injection Attacks

Successful injection attacks can result in:

  • Data breaches – Sensitive information is exposed.
  • Financial loss – Organisations may face fraud, fines, and recovery costs.
  • Service disruption – Systems may become unavailable or unstable.
  • Regulatory consequences – Data protection regulations may impose penalties following a breach.
  • Reputational damage – Customer trust can be difficult to rebuild after a security incident.

How Organisations Defend Against Injection Attacks

Fortunately, injection vulnerabilities are often preventable.

  • Input validation – Validate and restrict user input wherever possible.
    Applications should accept only expected values.
  • Parameterised queries – Instead of building database queries dynamically, developers should use parameterised statements.
    This ensures user input is treated as data rather than executable instructions.
  • Output encoding – Proper encoding helps prevent script execution and related attacks.
  • Least Privilege – Applications should operate with the minimum permissions necessary.
    This limits the impact of successful attacks.
  • Secure coding practices – Developers should follow established secure development standards.
  • Security testing – Regular Code reviews, Vulnerability scanning, Penetration testing, and other Security assessments can identify injection vulnerabilities before attackers do.
  • Web Application Firewalls (WAFs) – A WAF can help detect and block malicious requests associated with common injection techniques.

The Future of Injection Attacks

As technology evolves, injection attacks continue to evolve as well. While traditional SQL injection remains a significant threat, attackers increasingly target:

  • APIs
  • Cloud services
  • NoSQL databases
  • Microservices
  • AI-enabled applications
  • Template engines

The fundamental principle remains unchanged – Whenever applications fail to properly separate data from instructions, attackers may find opportunities to inject malicious input.

Conclusion

Injection attacks occur when attackers manipulate user input so that it is interpreted as executable commands rather than ordinary data. These vulnerabilities can affect databases, operating systems, directory services, web applications, APIs, and many other technologies.

Common forms of injection attacks include SQL injection, command injection, LDAP injection, XML injection, XPath injection, NoSQL injection, server-side template injection, and cross-site scripting. Although the specific targets differ, they all exploit the same underlying weakness: the application’s failure to safely handle untrusted input.

Understanding injection attacks is essential for anyone interested in cybersecurity because they demonstrate how seemingly simple programming mistakes can lead to severe security breaches. By implementing secure coding practices, validating input properly, and adopting layered security controls, organisations can significantly reduce the risk posed by these powerful and persistent threats.