Word Notes 12.7.21
Ep 79 | 12.7.21

OWASP injection (noun)


Rick Howard: The word is: OWASP injection 

Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, and injection as in introducing code inappropriately.  

Rick Howard: Definition: A broad class of attack vectors, where an attacker supplies input to an applications command interpreter that results in unanticipated functionality. 

Rick Howard: Example sentence: Injection attacks are amongst the oldest and most dangerous hacks aimed at web applications.  

Rick Howard: Origin and context: Dave Wickers and Jeff Williams working for Aspect Security, a software consultancy company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWAP Top 10, a reference document describing the most critical security concerns for web applications.  

Rick Howard: Today, OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock, dedicated to enabling organizations to develop, purchase and maintain applications and APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide.  

Rick Howard: In the OWASP 2021 Top 10 vulnerabilities list, injection is number three and the main weakness that hackers leverage is the developers insufficient validation of user input. By sending applications data that the developer didn't plan for, hackers can retrieve sensitive information or compromise the application altogether.  

Rick Howard: Probably the most well-known injection attack is SQL injection, but there are several others that include Object Relational Mapping OS command, and Object Graph Navigation Library injections. According to OWASP, "Many organizations have poorly thought through security controls in place to prevent injection attacks. Vague recommendations for input validation, and output encoding are not going to prevent these flaws." They recommend that the specific design goal should be making injections impossible. But that's way easier to say than to do. 

Rick Howard: Developers have to understand the nuances involved in application data flow, command parsing, context, and escaping out of bad situations. With all of that in mind, the overall design parameter is keeping data separate from commands and queries. For mitigation, OWASP recommends building an automation framework that can test user input before code goes into production. There are also many security vendors who sell scanning products that can identify the most egregious and obvious injection issues in your code. 

Rick Howard: Nerd reference: At the APPSEC California 2018 conference, Justin Collins, the CEO of Brakeman explains what injection is.  

Justin Collins: So this is, I think my definition, maybe someone else has said this, but this is my succinct definition.  

Justin Collins: It's when we have data that gets interpreted as code. We have values that should be data and you should not be executing data. Instead it happens. And then we have an injection vulnerability and that data could be things like query parameters, values from a form. They could be values that come in as header values, files that are uploaded, stuff that comes out of the database. 

Justin Collins: These are all things that should be data. And somehow they get interpreted as code instead as SQL or HTML or JavaScript or CSS or bash or. A specific programming language. That's when we get an injection vulnerability.  

Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.