Injection Attacks – Security of Mobile and Web-based Applications (SoSe 2025)

Vocabulary flashcards covering major terms and definitions related to injection attacks, XSS, SQLi, defenses, tools, and architectural concepts discussed in the lecture notes.

Injection Attack

A vulnerability category where untrusted input is inserted into a command or query, altering its execution and enabling malicious behavior.

Von Neumann Architecture

CPU design where data and instructions share the same memory; flexible but memory bus becomes a bottleneck.

Harvard Architecture

CPU design that separates instruction and data memories, yielding speed and security benefits; common in microcontrollers.

Cross-Site Scripting (XSS)

An injection attack where malicious JavaScript is executed in a victim’s browser via crafted HTML content.

Reflected XSS (Type 1)

Non-persistent XSS where malicious input is immediately reflected by the server in its response.

Stored XSS (Type 2)

Persistent XSS where malicious input is stored on the server (e.g., DB) and served to many users later.

DOM-Based XSS (Type 0)

Client-side XSS where the browser’s DOM is modified directly without server involvement.

Content Security Policy (CSP)

HTTP response header that restricts sources of executable scripts, mitigating XSS.

XSStrike

Automated XSS discovery suite featuring payload generation, fuzzing, and crawling.

Session Cookie Theft

XSS payload goal to read document.cookie and send it to an attacker, hijacking user sessions.

SQL Injection (SQLi)

Attack where untrusted input alters an SQL query’s structure, enabling unauthorized data access or modification.

Blind SQL Injection

SQLi where no error or output is shown; attackers infer data via timing, Boolean responses, or resource consumption.

UNION-Based Injection

SQLi technique appending a UNION SELECT to combine attacker-controlled results with the original query output.

Error-Based Injection

SQLi where attackers exploit verbose error messages to glean database structure and data.

Boolean-Based Blind SQLi

Blind SQLi relying on true/false differences in application responses to extract information.

Time-Based Blind SQLi

Blind SQLi where attackers use database delays (e.g., SLEEP) and measure response time to infer data.

Stacked Queries

SQLi method adding a semicolon to run additional commands after the original query.

sqlmap

Open-source tool that automates detection and exploitation of SQL injection vulnerabilities.

mysqlirealescape_string()

PHP function escaping special characters in strings for SQL; protects only quoted string data.

Prepared Statement

Database feature separating query structure from data parameters to prevent SQL injection.

Object-Relational Mapper (ORM)

Library that maps database tables to objects; shields developers from raw SQL but still requires patching for injection flaws.

html vs. JavaScript Context

Security critical distinction between data (display) and code (execution) within web pages.

Escaping

Replacing or encoding special characters to ensure user input is treated as data, not executable code.

Content Length Limiting

Defense that restricts maximum input size, reducing payload room for injection attacks.

Disable Inline Scripts

CSP directive (e.g., script-src 'self') blocking inline JavaScript to mitigate XSS.

iframe Abuse

XSS tactic loading external pages or hidden resources via

Cookie Scope

Attributes (HttpOnly, Secure, SameSite) defining when and how cookies are accessible; HttpOnly hinders JS theft.

SQL Discovery via Errors

Unsanitized error messages reveal schema and query details, aiding attackers.

Log Flooding

Attacker strategy of generating excess errors to hide malicious events in logs.

Intrusion Detection System (IDS)

Security tool monitoring traffic and alerts or blocks upon detecting suspicious activity such as injection patterns.

Prompt Injection (LLM01)

OWASP risk where malicious prompts manipulate Large Language Models to ignore guidelines or leak data.

Direct Prompt Injection

Attacker-supplied instruction directly inserted into LLM input, overriding intended behavior.

Indirect Prompt Injection

Hidden or obfuscated instructions embedded in content that an LLM later processes, causing malicious actions.

Multilingual/Obfuscated Attack

Prompt injection technique using multiple languages, encoding, or emojis to bypass filters.

SQL Confidentiality Impact

Attack goal to read large volumes of sensitive data from the database.

SQL Availability Impact

Injection that exhausts server resources, causing denial of service.

SQL Integrity Impact

Injection altering or deleting data, corrupting the database’s correctness.

XSS Payload Hiding

Use of CSS or invisible elements to conceal malicious scripts from victims.

XSStrike Example Payload

– XSS vector without traditional

Bobby Tables (XKCD 327)

Humorous reference illustrating the consequences of unsanitized SQL input ("Robert'); DROP TABLE Students;--").