Injection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website.
Attack type | Attack description |
---|---|
Blind SQL Injection | Allows an attacker to use an error page that is returned by the database server to ask a series of True and False questions that use SQL statements to gain total control of the database or execute commands on the system. |
Blind XPath Injection | Allows an attacker who does not know the structure of an XML document to use methods that attempt to determine the structure of the document. |
Buffer Overflow | Alters the flow of an application by overwriting
parts of memory. Reference: For more
information about this attack, see Buffer overflow attacks.
|
Format String Attack | Alters the flow of an application by using string
formatting library features to access other memory space. In this type of attack, data that is provided by users might be used as formatting string input for certain C/C++ functions (for example: fprintf, printf, sprintf, setproctitle, syslog). |
LDAP Injection | Exploits websites that construct LDAP (Lightweight
Directory Access Protocol) statements from data that is provided by
users. In this type of attack, an attacker might modify LDAP statements by using a local proxy to execute arbitrary commands (granting permissions to unauthorized queries) or modify the content of the LDAP tree. |
OS Commanding | Exploits websites by injecting an operating
system command through an HTTP request to the web application. In this type of attack, an attacker might upload malicious programs or obtain passwords. |
SQL Injection | Takes advantage of the SQL
syntax to inject
commands that can read or modify a database, or compromise the meaning
of the original SQL query. In this type of attack, an attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; become the Administrator of the database server. |
SSI Injection | Allows
an attacker to send code to a web application,
which is executed locally by the web server. In this type of attack, an attacker exploits the failure of the web application to filter data provided by users before it inserts that data into a server-side interpreted HTML file. |
XPath Injection | Exploits websites that allow
an attacker to
inject data into an application to execute XPath queries. (XPath is
a query language that describes how to locate specific elements, such
as attributes or processing instructions in an XML document.) In this type of attack, the attacker might be able to bypass authentication or access information without needing appropriate authorization. |
Signature name | Description | More information |
---|---|---|
HTTP_GET_ComputeSum | Detects attempts to execute the database command COMPUTE
SUM through an HTTP GET request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM® X-Force®: HTTP GET contains compute%sum |
HTTP_GET_CreateTable | Detects attempts to execute the database command CREATE
TABLE through an HTTP GET request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP GET contains create%table |
HTTP_GET_GroupBy | Detects attempts to execute the database command GROUP
BY through an HTTP GET request. Known false positives: A false positive for
this signature is possible when a user sends a request to an HTTP
server that contains a string of group by or group+by.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP GET contains group%by |
HTTP_GET_SQL_Convert_Int | Detects the SQL command of convert(int,...) through
HTTP GET requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL Injection CONVERT statement usage |
HTTP_GET_SQL_OpenRowSet | Checks HTTP GET requests for usage of the OPENROWSET SQL
statement. Note: This signature does not necessarily indicate that
there is an attack on the network, but it might be an attempt at SQL
injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "OPENROWSET" statement usage |
HTTP_GET_SQL_Select_Count | Detects the SQL command of select
count(*) through HTTP GET requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: SQL injection SELECT count detected |
HTTP_GET_SQL_Select_Top_1 | Detects the SQL command of select
top 1 through HTTP GET requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: SQL injection SELECT count detected |
HTTP_GET_SQL_UnionAllSelect | Checks HTTP GET requests for usage of the UNION
ALL SELECT SQL statement. Note: This signature does
not necessarily indicate that there is an attack on the network, but
it might be an attempt at SQL injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "UNIONALLSELECT" statement usage |
HTTP_GET_SQL_UnionSelect | Checks HTTP GET requests for usage of the UNION
SELECT SQL statement. Note: This signature does not
necessarily indicate that there is an attack on the network, but it
might be an attempt at SQL injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "UNIONSELECT" statement usage |
HTTP_GET_SQL_WaitForDelay | Checks HTTP GET requests for usage of the WAITFOR
DELAY SQL statement. Note: This signature does not
necessarily indicate that there is an attack on the network, but it
might be an attempt at SQL injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "WAITFORDELAY" statement usage |
HTTP_GET_XP_Cmdshell | Detects attempts to execute the sqlServer
xp_cmdshell function through an HTTP GET request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP URL contains an SQL xp_cmdshell command shell request |
HTTP_IIS_MSSQL_xml | Checks for an HTTP GET request matching either
the pattern *.xml or an SQL injection
by using FOR XML with the contenttype argument
that exceeds more than 239 characters. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: Microsoft SQL Server SQLXML ISAPI buffer overflow |
HTTP_IIS_MSSQL_XML_Script | Checks for an HTTP GET matching the pattern *.xml with
an argument that contains script injection. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: Microsoft SQL Server SQLXML XML tag script injection |
HTTP_POST_ComputeSum | Detects attempts to execute the database command COMPUTE
SUM through an HTTP POST request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP POST contains compute%sum |
HTTP_POST_CreateTable | Detects attempts to execute the database command CREATE
TABLE through an HTTP POST request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP POST contains create%table |
HTTP_POST_GroupBy | Detects attempts to execute the database command GROUP
BY through an HTTP POST request. Known false positives: A false positive for
this signature is possible when a user sends a request to an HTTP
server that contains a string of group by or group+by.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP POST contains group%by |
HTTP_POST_SQL_Convert_Int | Detects the SQL command of convert(int,...) through
HTTP POST requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL Injection CONVERT statement usage |
HTTP_POST_SQL_OpenRowSet | Checks HTTP POST requests for usage of the OPENROWSET SQL
statement. Note: This signature does not necessarily indicate that
there is an attack on the network, but it might be an attempt at SQL
injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "OPENROWSET" statement usage |
HTTP_POST_SQL_Select_Count | Detects the SQL command of select
count(*) through HTTP POST requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: SQL injection SELECT count detected |
HTTP_POST_SQL_Select_Top_1 | Detects the SQL command of select
top 1 through HTTP POST requests. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL injection SELECT statement usage |
HTTP_POST_SQL_WaitForDelay | Checks HTTP POST requests for usage of the WAITFOR
DELAY SQL statement. Note: This signature does not
necessarily indicate that there is an attack on the network, but it
might be an attempt at SQL injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "WAITFORDELAY" statement usage |
HTTP_POST_SQL_UnionAllSelect | Checks HTTP POST requests for usage of the UNION
ALL SELECT SQL statement. Note: This signature does
not necessarily indicate that there is an attack on the network, but
it might be an attempt at SQL injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "UNIONALLSELECT" statement usage |
HTTP_POST_SQL_UnionSelect | Checks HTTP POST requests for usage of the UNION
SELECT SQL statement. Note: This signature does not
necessarily indicate that there is an attack on the network, but it
might be an attempt at SQL injection.
Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP SQL "UNIONSELECT" statement usage |
HTTP_POST_XP_Cmdshell | Detects attempts to execute the sqlServer
xp_cmdshell function through an HTTP POST request. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: HTTP POST command contains SQL command shell request |
HTTP_Shells_C | Detects attempts to cause the C shell to execute
commands. This signature detects any calls to the C shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
HTTP_Shells_Ksh | Detects attempts to cause the Korn shell to
execute commands. This signature detects any calls to the Korn shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
HTTP_Shells_Perl | Detects attempts to cause the Perl shell to
execute commands. This signature detects any calls to the Perl shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
HTTP_Shells_Perl_Exe | Detects attempts to cause the Perl shell to
execute commands. This signature detects any calls to the Perl shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
HTTP_Shells_Rksh | Detects attempts to cause the restricted Korn
shell to execute commands. This signature detects any calls to the restricted Korn shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
HTTP_Shells_Sh | Detects attempts to cause the Bourne shell to
execute commands. This signature detects calls to the Bourne shell in the cgi-bin directory only. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
HTTP_Shells_Tcsh | Detects attempts to cause the tcsh shell to
execute commands. This signature detects any calls to the tcsh shell at any location (not only the cgi-bin directory) within or outside the web server. This signature replaces HTTP_Shells. |
IBM X-Force: Shell interpreters can be used to execute commands on Web servers |
LDAP_Injection | Detects attempts to compromise websites that construct LDAP (Lightweight Directory Access Protocol) statements from data that is provided by users. | |
Shell_Command_Injection | Detects a Shell Command injection attempt by
combining commands and symbols that are used in shell programming
languages. In the default configuration, shell commands are scored only when one of the pedantic (escape) values as defined by the pam.injection.shell.pedantic tuning parameter is matched, or when a directory traversal attempt is detected. In either of those cases, an attempt is made to score shell commands and symbols. pam.injection.shell.pedantic: This tuning parameter affects the Shell_Command_Injection signature by requiring that one of the following patterns precede a shell command: '`' (back-tick), '$(' (dollar + open parentheses) , '||' (double pipe), '&&' (double ampersand) , or ';' (semi-colon). When this tuning parameter is disabled, then all tokens are scanned for shell commands. Disabling this tuning parameter will most likely lead to a substantial increase in false positives. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: Shell command injection attempt detected |
SQL_Injection | Heuristically detects SQL injection attempts
by weighing various Data Definition statements, Data Manipulation
statements, operators, functions, keywords, and symbols of the SQL
programming language. pam.parser.argument.injection.enabled Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: SQL Injection affects multiple database-backed applications |
SQL_Jet_Query_Overflow | Searches for a SQL query with excessive SQL
token delimiters potentially allowing an attacker to overflow the Microsoft Jet Database engine. Reference: See the XPath Injection signature for descriptions
and values of these tuning parameters:
pam.injection.http.headers.enabled |
IBM X-Force: Microsoft Jet Database Engine query could execute code |
XPATH_Injection | Triggers when well-known boolean injection patterns
are detected. In the absence of an SQL Injection event, it is more likely that an XPATH injection attempt was made. pam.injection.http.headers.enabled:
Determines whether injection attempts (SQL, Shell, XSS, XPATH, LDAP)
are detected in HTTP headers, such as Cookie: and Referer:.
Note: Disabling this tuning parameter results in a performance improvement.
pam.injection.http.hostpath.enabled:
Determines whether injection attempts (SQL, Shell, XSS, XPATH, LDAP)
are detected in the //host/path/filename portion
of the HTTP URL.
Note: Disabling this tuning parameter results in
a performance improvement.
pam.parser.argument.injection.enabled: Turns the Injection Logic Engine ON or OFF. This parameter affects all SQL injection signatures, all Shell Command injection signatures, and all cross-site scripting injection signatures. The default value for this tuning parameter is enabled. pam.injection.param.ignore: Defines a parameter name to ignore when you are completing inspection for SQL injection, Shell Command injection, cross-site scripting, and other related attacks. |
IBM X-Force: XPath injection attempt detected |