Day 5: OWASP Top 10 2021 – #3 Injection

Injection Attacks. What is it?

When a command or query is used to inject unauthorized data into the interpreter via SQL, OS, NoSQL, or LDAP, injection vulnerabilities may be present. Through this attack vector, malicious data is inserted to deceive the interpreter into forcing the application to perform actions for which it was not intended, like issuing unexpected commands or gaining access to data without proper authorization.

Injection flaws occur when untrusted user data is sent to the web application as part of a command or query. Injection happens when a cyber attacker injects malicious data into a web application, handled in an unsafe way. The attacker’s malicious data can cause the web application to run unintended commands or access unauthorized information. Injection drops to third place on the OWASP Top 10 list. In this edition, cross-site scripting has been added to this category. SQL injections, Cross-Site Scripting (XSS), NoSQL injection, code injection, OS command injection, host header injection, and other types of injection attacks are among the most prevalent ones. These injection attacks target the following functionality

  • Structured Query Language (SQL) query
  • Operating System (OS) commands
  • XML path language (XPath) query
  • Lightweight Directory Access Protocol (LDAP) query

Injection attacks can affect any application that accepts parameters as input. The extent of the application’s input validation controls is closely associated with the threat level.

Scenario: the attacker modifies the ‘id’ parameter value in their browser to send: ‘ or ‘1’=’1. For example:

 http://example.com/app/accountView?id=' or '1'='1

This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify or delete data or even invoke stored procedures.

Remedy to Injection Vulnerability

Any combination of the following techniques can stop injection attacks:

  • To protect yourself against attacks that replace data with unwanted command execution, separate commands from data.
  • Instead of constructing the command only from the content of user input, code SQL queries using arguments. These are prepared statements or parameterized queries.
  • Use a secure API to completely do away with the interpreter.
  • Implement both a mechanism for detecting intrusions that detects suspicious client-side behavior and affirmative server-side validation.

In other to make the blogs short, I’ll include a link to the CWEs instead of listing them here.

CWEs List for Injection.

References To Get More Understanding of Injection
  • https://www.martellosecurity.com/kb/mitre/cwe/1347/
  • https://www.skillsoft.com/course/owasp-top-10-a032021-injection-da6f8a2d-795f-4c88-839e-08b63198dc5d
  • https://owasp.org/Top10/A03_2021-Injection/
  • https://portswigger.net/web-security/sql-injection

This will be all for the Day 5 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post. 

PS: This is not all about injection vulnerability. The fact is, I cannot talk of everything under injection in one blog post at a go, So I’ve split them up into multiple blog posts containing the top vulnerabilities under injection, which includes: SQL injections, Cross-Site Scripting (XSS), OS command injection, and other types of injection attacks.