search
GitHub PortfolioTwitter/XMediumCont@ct

3️⃣3. Injection

https://owasp.org/Top10/A03_2021-Injection/

LogoA03 Injection - OWASP Top 10:2021owasp.orgchevron-right

hashtag
Description

An application is vulnerable to attack when:

  • User-supplied data is not validated, filtered, or sanitized by the application.

  • Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.

  • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.

  • Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.

Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. Source code review is the best method of detecting if applications are vulnerable to injections. Automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs is strongly encouraged. Organizations can include static (SAST), dynamic (DAST), and interactive (IAST) application security testing tools into the CI/CD pipeline to identify introduced injection flaws before production deployment.

hashtag
THM Lab

hashtag
Task 10 - Command Injection

hashtag
10.1 - What strange text file is in the website's root directory?

circle-info

hashtag
10.2 - How many non-root/non-service/non-daemon users are there?

circle-info

hashtag
10.3 - What user is this app running as?

circle-info

hashtag
10.4 - What is the user's shell set as?

circle-info

hashtag
10.5 - What version of Alpine Linux is running?

circle-info

chevron-rightFlag Task 10.5hashtag

Previous2. Cryptographic FailuresNext4. Insecure Design

Last updated