Top 10 2013-A1-Injection - OWASP

Overview

This article discusses the OWASP Top 10 2013-A1 Injection vulnerability. It provides an overview of this vulnerability, explains how to prevent it, and provides example attack scenarios. It also includes references for further reading.

Description

Injection flaws are a common security weakness in web applications, particularly in legacy code. These flaws occur when an application sends untrusted data to an interpreter. Injection flaws can be found in SQL, LDAP, Xpath, or NoSQL queries, OS commands, XML parsers, SMTP Headers, program arguments, and more. They are easy to discover when examining code, but difficult to discover via testing. Injection can result in data loss or corruption, lack of accountability, or denial of access. This article provides guidance on how to prevent injection vulnerabilities and includes example attack scenarios.

How to Prevent ?

Preventing injection vulnerabilities requires keeping untrusted data separate from commands and queries. The preferred option is to use a safe API that avoids the use of interpreters or provides a parameterized interface. If a parameterized API is not available, special characters should be carefully escaped using the specific escape syntax for that interpreter. Positive or 'white list' input validation is also recommended, but is not a complete defense. OWASP's ESAPI provides many useful escaping routines and white list input validation routines.

Example Attack Scenarios:

• Scenario 1: SQL Injection:  The application uses untrusted data in the construction of a vulnerable SQL call. The attacker modifies the 'id' parameter value to inject SQL code that changes the meaning of the query and retrieves all records from the accounts table.

• Scenario 2: Hibernate Query Language (HQL) Injection:  An application blindly trusts frameworks and constructs queries that are vulnerable to injection. The attacker modifies the 'id' parameter value to inject HQL code and retrieve sensitive data or modify the database.