Malicious Injection — It's Not Just For SQL Anymore

nywanna writes "When most people think of malicious injection, they think of SQL injection. The fact is, if you are using XML documents or an LDAP directory, you are just as vulnerable to a malicious injection as you would be using SQL. Bryan Sullivan looks at the different types of malicious code injections and examines the very basics of preventing these injections."

Phishers like frame injections

[miller60]

Phishers have been known to use frame injections to insert their content into framesets, allowing them to grab login info from within the bank's own web site. It's not nearly as fancy as an SQL injection, but it's sure malicious and quite difficult for victims to recognize.

Email header injection attack

[DeadSea]

Another example of an injection attack allow an attacker to send spam through a contact form that doesn't normally allow the recipient to be specified by the user.

A webmaster hosts a contact form on his website that allows users to fill out a form to contact him. He allows the user to specify a subject and a message but the recipient is hard coded to webmaster@example.com.

The message ends up looking like this:

To: webmaster@example.com
From: thewebserver@example.com
Subject: $subject

$message

Where $subject and $message are captured from the user on the website.

If the $subject is not properly sanitized, a bot could submit it with a new line in it and be able to start a new line in the headers of the email. That new line could be, for example, a large CC list of people to spam with his message:

Buy my weight loss pills!
CC: spammee1@example.com, spammee2@example.com

Which is why I would suggest using a contact form such as the one that I have written that has already thought about this sort of thing.