A8: Injection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Sign up with Google
Sign up with Apple
Sign up with Microsoft
View all SSO options

Already have an account? Sign In »

Introduction to the OWASP API Security Top 10
Course
Time
1 hour 43 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:01
Hey, everyone, welcome back to the core. So in this video, where to go over Item eight on the A, West by P. A p i security top 10 list, which is injection. If you're familiar with the OAS top 10 for vulnerabilities. You'll know that injection attacks are at least as of 27 teens list the number one vulnerability out there.
00:20
So we're gonna talk about what our injection attacks in. Basically, what is injection attack? When we think of AP eyes, we'll also talk about ways to prevent or mitigate against it.
00:31
So what are injection attacks? We'll think the most common ones are probably gonna be sequel injection attacks or OS or command injection attacks. And basically, this is when an attacker makes an A P. I call that includes commands that are basically blindly executed for lack of better words by the A. P i or the
00:50
the back end, right, So not just the FBI, but also the backend. So that's where I, for example, is an attacker might send a sequel injection command
00:57
that causes your database to dump all the data for me.
01:03
So an example of this was a few years ago. The Samsung Smart things have video. There was a parsing SQL injection vulnerability for that. So basically there was a Jason injection vulnerability. It existed in what was called the credentials handler of the video core
01:21
s. So what happened is a video core would process inquiry Well, basically would incorrectly parse the user controlled payload.
01:30
And that led to that injection top of attack, which then led to the sequel injection attack.
01:34
So basically, all that being said, an attacker could send http request to then trigger that vulnerability and get information back from your database.
01:46
So how can we prevent against this?
01:49
Well, number one validating, filtering, sanitizing all that data is coming through, making sure it's actually legitimate request.
01:59
We can also
02:00
define input for the data Oshima's type And basically, what information are we going to allow and then enforce that at run time?
02:10
And then we can define limit and also enforce a P I outputs to prevent these data leaks.
02:16
So in this video, we just talked about what injection attacks are. We also talked about ways to mitigate them
Up Next
View All
Instructed By
Ken Underhill

Ken Underhill

Senior Instructor
Similar Content
Introduction To OWASP Top Ten: A6 - Security Misconfiguration - Scored
Virtual Lab
Introduction To OWASP Top Ten: A6 - Security Misconfiguration - Scored
3.75
This module for the Introduction to OWASP Top Ten Module covers A6: Security Misconfiguration.
Introduction To OWASP Top Ten: A1 - Injection - Scored
Virtual Lab
Introduction To OWASP Top Ten: A1 - Injection - Scored
4.42
This module for the Introduction to OWASP Top Ten Module covers A1: Injection.
Introduction To OWASP Top Ten: A2 - Broken Authentication - Scored
Virtual Lab
Introduction To OWASP Top Ten: A2 - Broken Authentication - Scored
4.11
This module for the Introduction to OWASP Top Ten Module covers A2: Broken Authentication.