According to OWASP Top10 2017 (https://www.owasp.org/index.php/Top_10-2017_Top_10), Injection flaws are the most serious web application security risks.
Injection attacks can be devastating to your business, both from a technical aspect and from the business side. Injection can result in data loss, corruption, or disclosure to unauthorized parties, loss of accountability, or denial of access. It can sometimes lead to complete host takeover. Once an injection attack takes place, you can no longer trust your data. It may be corrupted or denial of access may occur.
Eliminating any opportunities for an attacker to take advantage of injection flaws should be a top concern for your business because of the high impact an attack could have on critical business data.
Do I need to be a security specialist to prevent injection attacks?
Short answer is No. You don’t need to be an expert to protect yourself against injection attacks.
Kiuwan assists you in answering these fundamental questions:
- Does my app have injection vulnerabilities? Which ones and where?
- How can I remediate them?
- After fixing my code, have those vulnerabilities been fixed? Did I introduce new ones?
The aim of this guide is to provide some basic knowledge of Injection attacks and how you can defend against them.
We will cover the basics of injection, and hopefully you will be able to understand how injection attacks work, and how to remediate those vulnerabilities.
But first of all, you should assess how vulnerable your application is. In other words, locate the “open doors” where an injection attack might succeed.
You could use a DAST approach, where you attack your application searching for “injection points”, blocking any “malicious” request addressed to those vulnerable points. It’s what we might call “a symptomatic approach”: to detect the symptoms (the vulnerabilities) and provide a mechanism to avoid those consequences (basically, blocking requests with specific injection patterns).
Alternatively, a SAST approach (such as Kiuwan’s) is based on an “etiological approach”, that is, in the study of its underlying causes: symptoms are only the surface of the problem; root causes must be detected and fixed in their origin.
Know your enemy!! The more you know about how it works, the more you will be able to defend against it.
If you clearly understand how injection works it will not be complicated to fix it. You will see that once a door is open (i.e. there exists an injection point) it’s a matter of imagination on the part of the attacker to take advantage of it.
You can use Kiuwan to detect injection vulnerabilities in your source code, providing you with remediation action plans. But the more you know about how injection works, the more you will be able to assess the different remediation possibilities and how to define an action plan to defend against them, as well as to roll out prevention measures.
Consequently, you must first be aware of all the injection points (or injection vulnerabilities) of your app.
Kiuwan will help you by scanning your source code and searching for all those injection points.
It will show to you their root causes. It will provide remediation clues and will let you assess how effective your remediation is.
Injection Flaws