OWASP Top Ten Most Critical Web Application Risks. #1: Injection Flaws

The Open Web Application Security Project (OWASP) releases a list of the top ten web application vulnerabilities each year. OWASP is a non-profit open community dedicated to helping organizations develop and maintain trusty worthy web applications. The OWASP Top Ten represents the consensus option in the field about the most critical web application security flaws. Companies can perform web application vulnerability assessments to ensure they can find if those applications contain any of the vulnerabilities in the Top Ten list. Miro will publish a series of blogs outlining the OWASP Top Ten list for 2010, starting with this blog, which deals with the risks posed by injection, such as the famous SQL Injection based attacks.

While the SQL Injection Flaw has acquired quite a bit of notoriety, an injection flaw could also be operating system or LDAP based. These types of flaws allow an attacker to send simple text based data into the system as part of a command or query. The attacker tricks the database or operating system into executing malicious commands or gains access to sensitive data.

The way to protect against injection attacks is to ensure that you separate untrusted data from any operating system commands or SQL queries. SQL statement can avoid the dynamic generation of queries by using bind variables. You can analyze your code to see how it is using interpreters and trace the flow of data through the application. Your application code must correctly use the specific escape syntax for special characters for any interpreters the application uses. Injection flaws are generally hard to detect and a simple automated scan may or may not find the flaws. For critical applications, you can also have a penetration tester craft exploits that use SQL injection attacks, to confirm whether you r code suffers from this vulnerability. A positive or “white list” validation is an additional strategy to minimize SQL injection flaws.

Leave a Comment

Your email address will not be published. Required fields are marked *


Contact Us

If you have an urgent question regarding your software licensing or a software audit, please contact Miro right away.

(732)738–8511 x1208
Use the chat box on the right

About Us

Miro is a leading global provider of software asset management services, specializing in license management, audit advisory, negotiation tactics, support management, and cloud services. We help our clients maximize ROI on their software license investments, stay in compliance, and minimize the impact of audits. Miro's performance guarantee promises that our long-tenured, diverse, and passionate team of expert analysts provides insightful and actionable advice to help our clients achieve the best possible outcomes.