Understanding OWASP Top 10: Injection

Last week, we started a new series of articles to help you understand the OWASP Top 10 vulnerabilities that every developer and business should be aware about.

Starting today, we’ll go in depth into each vulnerability to understand more on what it means and what can be done to be safe.

The most common vulnerability according to the OWASP Top 10 project is Injection.

What is Injection?

In simple words, an injection attack is one in which databases and other systems are vulnerable to such an extent that an attacker can inject malicious or untrusted data into the system. This occurs when untrusted data is sent to an interpreter as part of a command or query. Basically, the attacker’s data tricks the interpreter into executing commands without adequate authorization.

If this is not already troubling, the added trouble happens when this data can flow down to clients and end users too, thus inflicting damage through malware, viruses or other security problems.

Types of Injections

Depending on the type of database system, the programming language and other factors, there can be many different types of injections:

Injection Flaws include, but are not limited to:

  • LDAP Queries

  • SQL Queries

  • XPath Queries

  • Program Arguments

  • OS Commands

The fact that there are so many possibilities is itself a major reason why it is extremely difficult for developers and system admins to locate the exact point of injection.

Hence, it is crucial that you hire security experts who can understand the problem and create a valid action plan.

What are the Effects of an Injection Attack?

Like explained above, the attackers intent is obviously not a good one. A successful injection can result in a major loss of data apart from loss of goodwill and credibility. Loss of client information is the worst thing that can happen to a business.

Any business affected by an SQL Injection would need to take steps quickly to rectify the issue. Loss of personal data, financial information or other critical information can cause irreparable damage to a company’s reputation and The loss of personal data, financial information and other aspects can cause a great deal to harm a company’s reputation.

Are You Vulnerable to an Injection Attack?

The best way to know whether an application is vulnerable to injection is to check if the interpreter can clearly separate the untrusted data from the commands and queries.

An easy and fast way to do that would be to check the code. Many penetration testers, security analysts and tools like Appknox can help you detect these issues in a jiffy. Basically, what this does is create exploits that expose the vulnerability.

How Can You Prevent an Injection Attack?

As mentioned before, the major task is to keep untrusted data separate from commands and queries. Here are some things to keep in mind:

  • Preferably, use a safe API that avoids the use of an interpreter altogether or provides a parameterised interface. Be careful with using APIs as some can still introduce injection under the hood.

  • You should carefully escape special characters using the specific escape syntax for that interpreter. OWASP’s ESAPI provides many of these escaping routines.

Make use of security tools to get a more holistic view of where you stand and devise an action plan accordingly.