OWASP Top 10 Series – Injection

In these series, I will try to explain each one of the security risks in the OWASP Top 10 (2021) list in the simplest way possible. Hopefully this can help myself and other’s to recall these concepts quickly.

Understanding OWASP Injection Vulnerabilities

Injection vulnerabilities occur when an application’s input validation mechanisms are insufficient, allowing attackers to inject malicious input, often in the form of code or commands, into a vulnerable system. These vulnerabilities are not limited to a specific programming language or platform but can affect a wide range of applications, including web and mobile applications, databases, and even network protocols.

Types of Injection Attacks: Examples and Risks

  1. SQL Injection (SQLi): SQL injection occurs when an attacker inserts malicious SQL code into an application’s input fields, manipulating the underlying database. For instance, consider a login form where user credentials are validated using an SQL query. If the application does not properly sanitize user inputs, an attacker could input something like ' OR '1'='1 into the username field, bypassing the authentication process and gaining unauthorized access.
  2. Cross-site Scripting (XSS): Although not always categorized as an injection attack, XSS involves injecting malicious scripts into web pages viewed by other users. For example, an attacker could inject JavaScript code into a comment field of a blog post. When other users view the comments, the injected code executes within their browsers, potentially stealing their cookies or login credentials.
  3. Command Injection: Command injection occurs when attackers insert malicious commands into application inputs that are then executed by the underlying system. An example is a file upload feature that fails to validate file names. An attacker could upload a file with a malicious name, potentially allowing them to execute arbitrary commands on the server.

Real-world Example: Exploiting SQL Injection

Consider a simple web application with a login form containing a username and password field. The application uses the following SQL query to validate user credentials:

SELECT * FROM users WHERE username = '<username>' AND password = '<password>';

An attacker exploiting an SQL injection vulnerability could input the following in the username field:

' OR '1'='1'; --

This would modify the query to:

SELECT * FROM users WHERE username = '' OR '1'='1'; --' AND password = '<password>';

The double hyphens (--) are used to comment out the remainder of the original query. As a result, the query always evaluates to true, bypassing the password check and granting the attacker access to the application.

Prevention and Best Practices

  1. Input Validation: Always validate and sanitize user inputs. Use parameterized queries or prepared statements to ensure that user inputs are treated as data, not executable code.
  2. Least Privilege: Limit the permissions of application components. Databases and servers should have the least amount of privilege necessary to operate effectively.
  3. Web Application Firewalls (WAFs): Implement WAFs to filter out malicious inputs and requests before they reach the application.
  4. Regular Patching and Updates: Keep software frameworks, libraries, and platforms up-to-date to mitigate known vulnerabilities.
  5. Security Testing: Perform regular security assessments, including code reviews and penetration testing, to identify and address vulnerabilities proactively.