OWASP Top Ten: Injection

Alex Archondakis

Managing Consultant

Alex is one of our managing consultants here at Pentest People. Focusing mainly on web application penetration testing. Alex has spoken at many key events while with us, including BSides London and even DSS ITSEC Latvia.

OWASP Top Ten: Injection

Injection is one of the top OWASP vulnerabilities for a reason. It can allow attackers to inject their own malicious code into programs, which can result in serious security breaches. This blog post will discuss what injection is, how it occurs, and some of the most common attack vectors. We will also provide tips on how to protect your website and Web Applications from these attacks.

How do Injection Attacks Happen?

Injection attacks occur when untrusted user input is injected into a program. This can happen in a number of ways, but the most common attack vectors are SQL injection and cross-site scripting (XSS). SQL injection occurs when attacker-controlled input is used to modify database queries. This can allow attackers to bypass authentication checks.

Cross-site scripting occurs when attacker-controlled input is used to inject malicious code into webpages. This can allow attackers to steal user data or take control of the victim’s browser.

What is the Most Common Injection Attack?

One of the most common types of injection attacks is SQL injection. This attack occurs when user input is used to modify database queries unsafely. For example, consider the following login form:

Username:

Password:

If the username and password are not properly sanitised, an attacker could enter malicious input that would allow them to bypass authentication checks. For example, they could enter the following values:

Username: ‘ OR ‘a’=’a

Password: ‘ OR ‘a’=’a

This would cause the following query to be executed:

SELECT * FROM users WHERE username=” OR ‘a’=’a’ AND password=” OR ‘a

Which would return all users in the database, regardless of their username and password.

How Can we Mitigate Injection Attacks?

Preventing injection attacks requires careful input validation. All user input should be carefully sanitised before being used in any programmatic way. In addition, developers should sanitise all input, not only web form inputs such as login forms.

The best defence against injection attacks is to develop secure habits and adopt policies and procedures that minimise vulnerabilities. Staying aware of the types of attacks you’re vulnerable to because of your programming languages, operating systems and database management systems is critical.

Here at Pentest People, we are continuously working to mitigate cyber security risks and threats by identifying vulnerabilities in your system’s defences, so that a real-life hacker cant exploit them. We provide a range of services that protect your system’s weaknesses from being at risk of cyber-attacks.

Take a look at our Web Application Penetration Test to make sure you’re not at risk from Injection attacks.

Video/Audio Transcript