Time
1 hour 43 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:01
Hey, everyone, welcome back to the core. So in this video, where to go over Item eight on the A, West by P. A p i security top 10 list, which is injection. If you're familiar with the OAS top 10 for vulnerabilities. You'll know that injection attacks are at least as of 27 teens list the number one vulnerability out there.
00:20
So we're gonna talk about what our injection attacks in. Basically, what is injection attack? When we think of AP eyes, we'll also talk about ways to prevent or mitigate against it.
00:31
So what are injection attacks? We'll think the most common ones are probably gonna be sequel injection attacks or OS or command injection attacks. And basically, this is when an attacker makes an A P. I call that includes commands that are basically blindly executed for lack of better words by the A. P i or the
00:50
the back end, right, So not just the FBI, but also the backend. So that's where I, for example, is an attacker might send a sequel injection command
00:57
that causes your database to dump all the data for me.
01:03
So an example of this was a few years ago. The Samsung Smart things have video. There was a parsing SQL injection vulnerability for that. So basically there was a Jason injection vulnerability. It existed in what was called the credentials handler of the video core
01:21
s. So what happened is a video core would process inquiry Well, basically would incorrectly parse the user controlled payload.
01:30
And that led to that injection top of attack, which then led to the sequel injection attack.
01:34
So basically, all that being said, an attacker could send http request to then trigger that vulnerability and get information back from your database.
01:46
So how can we prevent against this?
01:49
Well, number one validating, filtering, sanitizing all that data is coming through, making sure it's actually legitimate request.
01:59
We can also
02:00
define input for the data Oshima's type And basically, what information are we going to allow and then enforce that at run time?
02:10
And then we can define limit and also enforce a P I outputs to prevent these data leaks.
02:16
So in this video, we just talked about what injection attacks are. We also talked about ways to mitigate them

Up Next

Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor