A8: Injection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

1 hour 43 minutes
Video Transcription
Hey, everyone, welcome back to the core. So in this video, where to go over Item eight on the A, West by P. A p i security top 10 list, which is injection. If you're familiar with the OAS top 10 for vulnerabilities. You'll know that injection attacks are at least as of 27 teens list the number one vulnerability out there.
So we're gonna talk about what our injection attacks in. Basically, what is injection attack? When we think of AP eyes, we'll also talk about ways to prevent or mitigate against it.
So what are injection attacks? We'll think the most common ones are probably gonna be sequel injection attacks or OS or command injection attacks. And basically, this is when an attacker makes an A P. I call that includes commands that are basically blindly executed for lack of better words by the A. P i or the
the back end, right, So not just the FBI, but also the backend. So that's where I, for example, is an attacker might send a sequel injection command
that causes your database to dump all the data for me.
So an example of this was a few years ago. The Samsung Smart things have video. There was a parsing SQL injection vulnerability for that. So basically there was a Jason injection vulnerability. It existed in what was called the credentials handler of the video core
s. So what happened is a video core would process inquiry Well, basically would incorrectly parse the user controlled payload.
And that led to that injection top of attack, which then led to the sequel injection attack.
So basically, all that being said, an attacker could send http request to then trigger that vulnerability and get information back from your database.
So how can we prevent against this?
Well, number one validating, filtering, sanitizing all that data is coming through, making sure it's actually legitimate request.
We can also
define input for the data Oshima's type And basically, what information are we going to allow and then enforce that at run time?
And then we can define limit and also enforce a P I outputs to prevent these data leaks.
So in this video, we just talked about what injection attacks are. We also talked about ways to mitigate them
Up Next