The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to Web Application Security. The OWASP Top 10 is a standard awareness document representing a broad consensus about the top 10 critical security risks to web applications. Learn more about OWASP Top 10 through this series of short blog posts.
OWASP Top 10 - Injection Attacks
What is an Injection attack and how does it happen?
An injection attack is one among the most dangerous web application attacks listed in OWASP top 10 A1:2017 vulnerabilities which mostly occurs due to insufficient user input validation.
An injection attack occurs due to a vulnerability in your application that allows an attacker to inject untrusted input to a program. This could then get processed by an interpreter as part of a command or query which in turn gets manipulated to execute what the attacker wants, deviating from the original flow. Injection attacks can have many vectors mainly SQL,NoSQL, OS, and LDAP injection.
Types of injection attacks
SQL Injection is the most common vector of an injection attack. This technique allows an adversary to insert arbitrary SQL commands in the input fields of a vulnerable web page of a web application sending it over as a query from the web application to your back end database like MySQL, PostgreSQL, Oracle etc.
NoSQL Injection is another dangerous form of attack since it may lead to arbitrary code execution. Here the attackers inject codes into the command for databases which don’t use SQL (like MongoDB) and the code is executed on the server in the language of the web application.
OS Injection is the kind of injection attack where the payload(malicious content) injected by the attacker is executed as OS commands. This happens only if the web application is making calls to the Operating System through User Input. The OS injection vulnerability by itself won’t lead to a full system compromise, since the privilege level of execution will be at that particular web server level which got attacked.
LDAP Injection is an attack vector which could reveal sensitive user information or modify information stored in the Lightweight Directory Access Protocol data stores. This kind of attack can result in potential manipulation of the LDAP statements performed on the LDAP server to either view, modify, or bypass authentication credentials.
Other kinds of injection attack vectors also include XSS(arbitrary script injection), Email header injection, XPATH injection, Host Header injection etc.
How does injection attacks impact business?
Injection attacks can lead to major business disruptions since it can cause a variety of issues ranging from Authentication Bypass, Sensitive Data Exposure, Data Loss, Loss of Data Integrity, Denial of Services, Account Impersonation, Email Spamming, Defacement to full system compromise. The confidentiality compromise can lead to trust and reputation loss of the business amongst the clients. It questions the credibility and integrity of the organization leading to business loss.
A successful injection can also lead to attackers gaining unauthorized access to the database, viewing their tables, accessing sensitive information from the tables, modifying the tables and they can even gain administrative access which can be highly devastating to a business.
Some organizations where injection attacks were identified
Many big organizations have fallen prey to injection attacks (while those attacks could have easily been prevented if basic input sanitization was practiced). Some of the big names including IBM, Cisco, D-link, US Govt Federal Deposit library, Amazon Alexa, Oracle, Get(Australia), Nagios-XI api etc.
How to prevent an injection attack?
Validating user Inputs and always treat the input as untrusted
Hiding error messages
Using prepared statements(with Parameterized Queries)
Using stored procedures
Perform code evaluation to find vulnerabilities in the input fields also perform both static and dynamic analysis of the code
Keeping database credentials separate and encrypted
Disabling shell and other functionalities you don’t need
Always validate the input against a whitelist of permitted value and the input doesn’t contain any syntax
Interested in learning how to know if your organization is vulnerable to injection attacks? Drop us a note now at firstname.lastname@example.org