Blog

OWASP #1 Injection

2 Apr 2021 | By Jason Lu


 INJECTION

An injection attack is the most commonly used method of attack by hackers when trying to access data. The first thing you should do is assume that all data that will be entered is malicious in nature. By starting here, you can build all the necessary checks and filters to prevent these types of attacks. For example, with an SQL injection, you can use input validation functions to prevent incorrect characters from being passed and only allow characters associated with the input type e.g. email, to be passed. Other things to do would include not allowing for the use of dynamic SQL as you are handing power over to the input variables. Many databases and OS constantly require security patches and so having a patch management process in place can often be crucial. Don’t forget, always keep your database credentials separate and encrypted.

 

EXAMPLE OF AN ATTACK 1

The first example below uses SQL query preparation steps to demonstrate a very common vulnerability namely SQL injection. The example indicates that the short program has no defensive action taken before sending the user input to the database when a user could insert some malicious SQL strings, which could then cause Remote Code Execution when the input is submitted to the database.

 

EXAMPLE OF AN ATTACK 2

The second Java example is merely combining the user input with an HTML template into the response. In this case, the dangerous operation is in the second line where user input is directly placed into the result without any form of sanitisation. To prevent this from happening, one could use input validation libraries to perform a check before combining the input with the template.

 

Click here to learn more about the OWASP Top Ten,

and how Xcalscan can help you identify and resolve them.

You might be interested in

OWASP #5 Broken Access Control

19 Oct 2021 | By Jason Lu

In the OWASP Top Ten list, the number 5 vulnerability is Broken Access Control. This is concerned with how web applications grant systems access to...

read the story

Empowering Customers the Xcalibyte Way – An Interview with Gavin Bu

14 Oct 2021 | By Gavin Bu

From smart-locks at homes to self-driving vehicles on the road, new technologies such as artificial intelligence, blockchain, and 5G continue to promote the...

read the story

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy