OWASP Top Ten Most Critical Web Application Risks. #1: Injection Flaws

The Open Web Application Security Project (OWASP) releases a list of the top ten web application vulnerabilities each year. OWASP is a non-profit open community dedicated to helping organizations develop and maintain trusty worthy web applications. The OWASP Top Ten represents the consensus option in the field about the most critical web application security flaws. Companies can perform web application vulnerability assessments to ensure they can find if those applications contain any of the vulnerabilities in the Top Ten list. Miro will publish a series of blogs outlining the OWASP Top Ten list for 2010, starting with this blog, which deals with the risks posed by injection, such as the famous SQL Injection based attacks.

While the SQL Injection Flaw has acquired quite a bit of notoriety, an injection flaw could also be operating system or LDAP based. These types of flaws allow an attacker to send simple text based data into the system as part of a command or query. The attacker tricks the database or operating system into executing malicious commands or gains access to sensitive data.

The way to protect against injection attacks is to ensure that you separate untrusted data from any operating system commands or SQL queries. SQL statement can avoid the dynamic generation of queries by using bind variables. You can analyze your code to see how it is using interpreters and trace the flow of data through the application. Your application code must correctly use the specific escape syntax for special characters for any interpreters the application uses. Injection flaws are generally hard to detect and a simple automated scan may or may not find the flaws. For critical applications, you can also have a penetration tester craft exploits that use SQL injection attacks, to confirm whether you r code suffers from this vulnerability. A positive or “white list” validation is an additional strategy to minimize SQL injection flaws.

Leave a Reply

Your email address will not be published. Required fields are marked *

*