The Open-Source Web Application Security Project (OWASP) Top 10 is a well-known list in the application security testing market of the 10 biggest web vulnerabilities. Compiled by security experts from around the world and first published in 2004, the list is updated by the OWASP Foundation every three years. Over the years, much of the threats have remained the same, but with the evolution of the web new risks have made their debuts to the list.
Injection flaws have steadily moved up the list since 2004, starting in the sixth position, moving to second in 2007 and hitting the top spot in 2010 and 2013. Injection flaws are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP headers, program arguments, etc. They send untrusted data to an interpreter as part of a command or query. The threatening data can cause the interpreter to perform inadvertent commands or access data without proper authorization.
Potential attackers could include external users, internal users or administrators – anyone with the ability to send malicious data to the system. Attackers are able to exploit the system by sending text-based messages, often in legacy code, that manipulate the syntax of the targeted interpreter.
An injection can be detrimental to an organization. If the malicious code penetrates the targeted interpreter, data can be lost, stolen, corrupted, modified, or deleted. It could also result in a lack of accountability or denied access to a system. Any of these outcomes could cause operational challenges for a company that in turn can negatively impact the bottom line and/or severely damage an organization’s reputation.
OWASP makes some recommendations to help organizations determine whether an application is vulnerable to injection flaws, including:
- Verify that all use of interpreters clearly separate untrusted data from the command or query.
- Check the code to determine if the application uses interpreters safely by using code analysis tools.
- Leverage automated dynamic scanning to gain insight into whether some exploitable injection flaws exist.
When inspecting the code, injection flaws are easy to identify; however, during testing, they are more difficult to discover. Attackers often use scanners and fuzzers to find injection flaws in their applications.
To keep unwanted data separate from commands and queries, OWASP suggests:
- Use a safe API to avoid the use of an interpreter altogether or offer an interface that has parameters.
- If the interface isn’t parameterized, avoid using special characters. OWASP’s ESAPI is a good resource to understand escaping routines.
- Positive or “white list” input validation is also recommended, but is not a complete defense as many applications require special characters in their input.
Code Dx offers the code analysis tools that organizations need to identify injection flaws and mitigate potential vulnerabilities. For more information on Code Dx, contact us at firstname.lastname@example.org or at (631) 759-3993.