OWASP Top 10: Injection – What it is and How to Protect Our Applications

Cyolo Team

Cyolo Team

What is an Injection? How is it Related to OWASP? 

Injection is a type of cyberattack type that transmits data to change the way commands are interpreted in the system. During an injection, an attacker will transmit malicious data to an interpreter. Most sources of data can be used for injection, including environment variables, parameters, web services, and user types.

Injection is an application risk listed in the OWASP Top 10 and is important to look out for. The OWASP Top 10 is a report that lists the most dangerous web application security vulnerabilities. It is updated on a regular basis to guarantee that the list always includes the top ten most serious threats to businesses. To guarantee that they reduce and mitigate the greatest security concerns, OWASP suggests that all firms adopt the document’s conclusions into their corporate processes.

What are the Risks of Injections? 

Injection can lead to data loss, corruption and breaches, and even loss of control and the revealing of sensitive information associated with the target host. A “successful” injection can also provide attackers with unauthorized access to the database, allowing them to examine tables, read critical information from them, edit them, and even acquire administrator access.

In 2007, hackers gained access to 7-eleven servers through an SQL injection. They were able to gain access to credit card numbers and transfer money to themselves. More recently, a new type of injection attack, RTF Template Injection, associated with state-sponsored threat actors from Russia, China and India has been made public.

Injection Types

The most prevalent injection attack types are SQL injection (SQLi) and cross-site Scripting (XSS), although they are not the only ones. Different types of injection attacks include:

1. SQL Injection

SQL injection is a web security flaw that allows the attacker to potentially change the SQL queries that are run against the database. This may be used to extract sensitive information such as database structure, tables, and columns, as well as their data set. SQL injections are one of the most dangerous online application vulnerabilities, and they’re always on the CWE Top 25 list of vulnerabilities: Improper Neutralization of Special Elements in a SQL Command (CWE-89).

2. Cross Site Scripting (XSS) 

Cross-Site Scripting (XSS) is an online application vulnerability that enables a third party to run a script in the user’s browser on behalf of the web application. Cross-site scripting is among the most common online vulnerabilities, according to OWASP 10 2021. XSS attacks can have major implications, such as redirecting users to a malicious website or collecting session cookies and gaining control of the user’s session.

3. OS Command Injection

OS Command Injection, also known as shell injection, is a vulnerability that allows an attacker to execute arbitrary commands on the server of a running application. The operating system runs the inserted arbitrary commands with the web server’s privileges. These command injection flaws by themselves do not result in a complete system breach, but attackers can use privilege escalation and other vulnerabilities to gain access through them.

4. LDAP Injection

LDAP (Lightweight Active Directory Protocol) is used for accessing and managing directory services on IP servers. LDAP is a client-server protocol that is used for authentication, resource management, and permission control, in addition to giving access to a directory database.When an attacker adds harmful statements into a query, the server receives malicious LDAP queries, which has security consequences. If an attacker is successful in the LDAP injection, the attacker will have access to unauthorized information and can modify the structure of LDAP.

5. CRLF Injection

CRLF, Carriage Return Linefeed, is a special sequence of characters utilized by HTTP protocol as a line separator. In a CRLF injection, the application returns the attacker’s CRLF sequence with adjacent data provided by the hacker as a form of header response. This attack is performed with web page hijacking along with relevant attacks.

6. Host Header Injection

A website or web application’s host header defines which website or web application should handle an incoming HTTP request. The value of this header is used by the web server to send the request to the specified website or online application. If the attacker sends an arbitrary host to the actual virtual host, this could result in  web-cache poisoning and execution of unauthorized operations like password reset.

7. Mail Command Injection

Mail Command Injection is a type of attack that targets mail servers and webmail apps that generate IMAP/SMTP statements from user-supplied data that hasn’t been properly filtered.The attacker will be able to directly contact the mail server if he has access to the port number where it is executing. Although email injection does not pose a direct threat to the web server owner, a susceptible contact form might be used to send spam or conduct phishing attacks.

How Can Injections Be Prevented?

Steps you can take to try and find injection vulnerabilities in your systems include:

  1. The simplest method is to go to your address bar in your browser, highlight a parameter and add single quote (‘). For example, highlight the value of “username=” and replace it with “username=”’. You can also insert the single quote inside the parameter value, as follows  “username=na’me”. If you see a bypassed field or a response with data, then you might be vulnerable.
  2. Use SQLMAP, an open source tool in Kali Linux. SQLMAP enables detection and reconnaissance of SQL Injection.
  3. For Cross Site Scripting, take your test script and paste it in the input button in your database. You will see exposed data in the JavaScript response in case of a vulnerability. 
  4. If your source code has syntax that enables making requests, like certain methods or XML or JSON parsers, your software might be vulnerable. Close up these vulnerabilities, like ” ‘ ” or bash commands.

Now let’s look at some best practices for how to prevent injection OWASP vulnerabilities:

1. Authorize Users

Injection attacks are often aimed at servers and software that are accessible to anybody on the internet. Application developers and server administrators share responsibilities for preventing these attacks. To prevent injections, it’s important to securely authorize users with methods like MFA, and audit systems on a regular basis.

2. Prevent File Uploading

Files can contain malicious software. Therefore, uploading of files containing macros and prohibited extensions should not be accepted. Check for File extensions and allow regular users to upload only permitted file extensions, such as PDF, CSV or txt.

3. Validate Data

Input validation ensures that only properly formatted input enters an information system’s process, preventing inaccurate and malicious data from remaining in the database. Developers validate data by comparing the data value against the defined set of rules and analyze information within required parameters. 

4. Use Parameterization

Always use prepared statements for compiling a query. This method helps distinguish the code from input data. Prepared statements that are used for compiling a query will limit variables on incoming SQL commands to avoid piggybacking the malicious injection by cybercriminals.

5. Review Configurations

Review which technologies your application uses and the available information on the abuse of such technologies. Outdated technologies could be vulnerable to attacks. Javascript and jquery plugins are examples of such vulnerable technologies.

Preventing Injections and Other OWASP Top 10 Attacks with Zero Trust

Zero Trust is a security model that is based on a strict identity verification process that restricts the network, application and environment of an organization without affecting the performance and user experience. The zero trust framework only allows authenticated and authorized users and devices to access applications and data. Any type of attack, including a code injection, will be detected as being outside of the typical range of behavior and will result in a warning or the application session being closed to prevent any unauthorized user or access to restricted resources. In addition, attackers will have no visibility into potential OWASP applicative vulnerabilities when the zero trust framework is implemented.

Read this short white paper to learn more about getting started with zero trust.

 

Subscribe to our Blog

Get the latest posts in your email

More Articles

Subscribe to our Blog

Subscribe to our Blog

Get the latest posts in your email