Posts

Showing posts from January, 2013

XSS = SQLI = CMDi=?

Image
Why do we look at Cross Site Scripting, Command Injection and SQL injection in different ways? Why am I even writing about such old issues like SQLI, XSS, CMDi? Probably because they are very similar from a builder/prevention aspect but very different from a breaker/defender aspect. The Result is different: Cross Site Scripting (XSS):  is a payload delivery mechanism. The vulnerability is used to deliver the payload (warhead) in this case client side script which does something. The attack used against a user so the attacker can do other stuff: Malware upload, Social Engineering, Identity Theft etc. Command Injection (CMDi): A direct attack on a system. Invoking system commands directly. Command injection is a payload attack as opposed to a delivery mechanism. SQL Injection (SQLI): A direct attack on a system also. Direct access to data or system configuration. The SQL injection attack is also a payload attack. The Root cause is the same:  It all comes down to the same thin