2021 OWASP Top Ten: Injection

2021 OWASP Top 10: Understanding Injection Risks

Overview of Injection Risk

• John Wagner introduces the topic of the 2021 OWASP Top 10 list, focusing on injection risks, which have dropped to third place for the first time since 2003.

• The decline in ranking is attributed to increased knowledge about injection vulnerabilities and more serious risks identified in the top two positions.

Types of Injection Attacks

• While SQL injection is commonly discussed, injection attacks encompass a broader range including LDAP and Object Graph Navigation Language (OGNL).

• Cross-site scripting (XSS) has been integrated into the injection risk category, meaning it will not appear separately on the 2021 list.

Vulnerability Factors

• Applications are vulnerable to injections when user-supplied data is not properly validated, filtered, or sanitized.

• Dynamic queries or non-parameterized calls that lack context-aware escaping can lead to potential injection attacks.

Example Scenario: SQL Injection

• An example illustrates how an application using untrusted data in SQL calls can be exploited through malicious input.

• A scenario is presented where a URL query parameter could allow an attacker to manipulate database queries by altering its value.

Consequences of Poor Input Handling

• If user input directly influences SQL statements without proper sanitization, attackers can execute harmful commands against the database.

Understanding SQL Injection Attacks

Nature of SQL Injection Attacks

• The process begins with the injection of a customer ID into an SQL statement, altering its intended function.

• An attacker can manipulate the query by replacing actual values with conditions like "1 equals 1," which always evaluates to true.

• This manipulation allows attackers to retrieve all account data from the database, posing significant security risks.

• The core issue arises when user input is not validated or sanitized before being executed in a database command.

LDAP Injection Attacks

• Similar to SQL injections, LDAP (Lightweight Directory Access Protocol) injections involve injecting commands into LDAP queries.

• Attackers can extract sensitive information such as files and structures from an LDAP server using injected syntax.

Prevention Strategies for Injection Attacks

Best Practices for Mitigation

• Keeping data separate from commands is crucial; utilizing safe APIs that avoid interpreters can enhance security.

• Implementing parameterized interfaces and object-relational mapping (ORM) tools can help prevent injection vulnerabilities.

Input Validation Techniques

• Employ positive server-side input validation to ensure only acceptable data formats are processed by the application.

• Use special escape characters for any potentially harmful inputs to mitigate risks associated with special character usage.

Limiting Exposure in Queries

• Incorporating controls like "LIMIT" within SQL queries restricts the amount of data returned, reducing potential damage from successful attacks.

• These strategies collectively aim to minimize exposure and safeguard against various forms of injection attacks.

Conclusion on Security Risks