Injection attacks are a broad class of wide range vectors that enables an attacker to provide a program that an interpreter processes as a command and/or inquiry that alters the way a program is running.
What are Injection Attacks?
This type of attack allows an attacker to inject code into a computer to run remote commands to read or modify a database, or change website data.

It is possible, however, to inject code or malware to a program.

In a simple manner, An injection attack is when the back-end system accepts the data that the malicious user(the person who is intended to create destruction) supplies input without any validation and treats it as a command.

When the data is in the form that the system expects it is all good, but if the hacker is able to inject commands, for example, drop a table in the form of data then we have a problem.

Let me explain it with a simple example. Let a person named Jack is walking in the desert when suddenly he is suddenly bitten by a snake. He rushed to the hospital where the doctor checks for venom in his blood, so what is venom made up of?

Snake venom is mainly made up of proteins and so when you are bitten by a venomous snake, the snake injects highly concentrated proteins into your body in this venom commands the body to shut down and it can cause some serious damage including death.

Proteins are good for you if it is taken in the right amount in concentration. So don’t forget to eat proteins.

However, if the amount of concentration and protein in your body is more than what it can handle then we have a problem.

How does it relate to injection attacks?
The protein is like data. Good protein is like good data. The concentrated protein in the venom is also data.

But the body treats it as a command to shut down bad protein is a command that is mass like data.

When data is interpreted as data, it is good. When the data is interpreted as a command, we have an injection attack.

Solution
To protect against this the application developers should make sure that the data is validated before it is processed and the data is not dynamically treated as a command.
Types of Injection Attacks

S.NOINJECTION ATTACKDESCRIPTIONIMPACT
1.Code injectionInjects application code which can execute operating system commands as the user running the web application.Full system compromise
2.Cross-site Scripting (XSS)Injects arbitrary JavaScript into a legitimate website or web application which is then executed inside a victim’s browser.Account impersonation
3.OS Command injectionInjects operating system commands as the user running the web application. Advanced changes to this attack can leverage vulnerabilities to privilege escalation that can compromise the system fully.Full system compromise
4.SQL injection (SQLi)Injects SQL commands that can read or modify data from a database•Authentication bypass
•Information disclosure
•Data loss
•Data theft
•Loss of data integrity
•Denial of service
•Full system compromise

Injection attacks are not just very hazardous but are also very widespread, notably for heritage applications, particularly in SQL injection (SQLi) and cross-site scripting (XSS).