Describe these web application attacks: SQL Injection, Command injections, Cross-site scriptingImplementing Cisco Cybersecurity Operations (210-255)
SQL Injection attacks use vulnerabilities in applications, generally web based, to inject SQL commands. These commands could reveal data that the application would not normally show an unprivileged users. They can also be used to create additional users or modify users to gain more privilege to an application.
Similar to SQL injection attacks, command injections use unchecked input to get an application to run commands on the host. These commands could be information gathering such as being able to run an ls to see all files, or destructive.
Cross-site scripting attacks use a trusted site to execute code against a user. The code appears to come from the trusted site making the browser execute it. Attacks can either be stored on a site or reflected. OWASP has a good explanation of these attacks here.