Open Web Application Security Project (OWASP) The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP Top 10 Application Security Risk – 2013 #1 Injection #3 Cross-Site Scripting (XSS)
SQL Injection SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. Consists of insertion or "injection" of a SQL query via the input data from the client to the application A successful SQL injection exploit can: Read sensitive data from the database Modify database data (Insert/Update/Delete) Execute administration operations on the database (such as shutdown the DBMS) Recover the content of a given file present on the DBMS file system In some cases issue commands to the operating system.
Attacks Injection can result in: Data loss or corruption Lack of accountability or denial of access Can lead to complete host takeover All data can be stolen, modified, or deleted
Preventions Preventing injection requires keeping untrusted data separate from commands and queries. Types of Preventions: 1.Use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. 2.Carefully escape special characters using the specific escape syntax for that interpreter. 3.Positive or “white list” input validation, but this is not a complete defense as many applications require special characters in their input.
Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to: Execute scripts in the victim’s browser which can hijack user sessions Deface web sites Redirect the user to malicious sites
Attacks Attackers can execute scripts in a victim’s browser: To hijack user sessions Deface web sites Insert hostile content Redirect users Hijack the user’s browser using malware
Preventions Preventing XSS requires keeping untrusted data separate from active browser content. Types of Preventions: 1.Encoding – Escaping any character a user enters before displaying it 2.Whitelisting – Only allow certain characters (e.g. A-Z and 0-9) to be entered 3.Blacklisting – Not allowing a user to enter sequences such as or