OWASP #1 Injection

2021-04-02 | By Jason Lu


An injection attack is the most commonly used method of attack by hackers when trying to access data. The first thing you should do is assume that all data that will be entered is malicious in nature. By starting here, you can build all the necessary checks and filters to prevent these types of attacks. For example, with an SQL injection, you can use input validation functions to prevent incorrect characters from being passed and only allow characters associated with the input type e.g. email, to be passed. Other things to do would include not allowing for the use of dynamic SQL as you are handing power over to the input variables. Many databases and OS constantly require security patches and so having a patch management process in place can often be crucial. Don’t forget, always keep your database credentials separate and encrypted.



The first example below uses SQL query preparation steps to demonstrate a very common vulnerability namely SQL injection. The example indicates that the short program has no defensive action taken before sending the user input to the database when a user could insert some malicious SQL strings, which could then cause Remote Code Execution when the input is submitted to the database.



The second Java example is merely combining the user input with an HTML template into the response. In this case, the dangerous operation is in the second line where user input is directly placed into the result without any form of sanitisation. To prevent this from happening, one could use input validation libraries to perform a check before combining the input with the template.



Click here to learn more about the OWASP Top Ten,

and how Xcalscan can help you identify and resolve them.

You might be interested in

seL4 Summit 2022 Recap

2022-11-01 | By Yuning Liang

As seL4 moves onto automotive applications, having industry standards will be a big step forward for mass adoption. Iso 26262 ASIL-D is well known...

read the story

OWASP #5 Broken Access Control

2021-10-19 | By Jason Lu

In the OWASP Top Ten list, the number 5 vulnerability is Broken Access Control. This is concerned with how web applications grant systems access to...

read the story