30 Jan 2023
OWASP Open Web Application Security Project
Started this room on the 28th, but the first two lessons were intro and I had bigger fish to fry, so I did the answers for the first two tasks without notes to keep my streack going. 61 days of hacking, 51 days of blogging.
OWASP Top 10 is a standard awareness document for developers and webb application security. It represents a broad consensus about the most critical security risks to webb applications. This room was launched in July 2020, and the Top 10 was reordered and adjusted in 2021. Adjustments can be seen here https://owasp.org/Top10/. All my notes are based on the room, so there will be loads of things not in the right place for the current list.
Injection flaws occur because user controlled input is interpreted as actual commands or paramets by the application. Attacks depend on technology used and how those technologies interpret the input. Common injection examples are:
SQL injection can result in an attacker accessing, modifying, or deleting information in a DB, allowing theft of potentially sensitive information such as personal data and credentials. Command injection can also allow data theft, but can also allow attacks on infrastructure linked to the server on which the command is executed. The main defence for both is making sure user input can’t be interpreted as queries or commands. This can be accomplished by:
Dangerous characters or input is classified as any input that can change how the underlying data is processed. Allow lists can be built manually, but don’t have to be. Various libraries exist to perform filtering functions (this part was covered in part of AoC2023).