Overview: Injection Flaws
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Intermediate
Video Transcription
00:00
>> Let's talk about number 3 of
00:00
the OW-ASP Top 10 2021 injection.
00:00
Our learning objectives are to describe
00:00
the changes from OW-ASP Top
00:00
10 2017 to 2021
00:00
and explain the CWEs that make up injection.
00:00
What changed from 2017 to 2021?
00:00
We can go back even further.
00:00
We can go back all the way to 2007 where
00:00
injection was number 1 of the OWASP Top
00:00
10 and it has remained in that position this whole time
00:00
until 2021 is now
00:00
knocked down to the number three position.
00:00
That's a big deal.
00:00
As I talked about in the introduction,
00:00
we have a whole lot more CWEs now.
00:00
Instead of there only being for CWEs mapped to injection,
00:00
we now have 33.
00:00
The other big thing is cross-site scripting,
00:00
which had its own category in 2017,
00:00
is now part of injection.
00:00
Cross-site scripting is injection,
00:00
so it makes sense to me.
00:00
What are the factors? Let's compare
00:00
the factors from broken access control,
00:00
which is number 1.
00:00
With injection. They have
00:00
about the same number of CWEs mapped to them.
00:00
Injection has 33,
00:00
whereas broken access control has 34.
00:00
If we look at the max incident rate though,
00:00
it's a lot higher with broken access control.
00:00
The max incident rate is about 56 percent,
00:00
whereas with injection it's about 19 percent.
00:00
The other big thing is that the average weighted
00:00
exploitability and impact is higher with injection.
00:00
The average weighted exploit is 7.25 here,
00:00
whereas with broken access control it's
00:00
6.92 and the impact is 5.93 with broken access control,
00:00
whereas with injection it's 7.15.
00:00
There's more severe exploit
00:00
ability impact with injection.
00:00
The other thing is what makes
00:00
broken access control the number 1,
00:00
is there's more occurrences.
00:00
There's 318,000, a little over 318,000.
00:00
Total occurrences of broken access control,
00:00
whereas with injection it's about 274,000.
00:00
The other thing is the total CBEs map to
00:00
broken access control are 19,000 whereas with injection,
00:00
we have a lot more at 32,000.
00:00
There are a lot of CWEs.
00:00
What I wanted to highlight were the
00:00
four that OS had called out in 2017.
00:00
Now you can see there's a whole lot more.
00:00
They're almost chronological. You have 74,
00:00
75, 77, 78.
00:00
They're basically taking everything that has
00:00
anything to do with injection and
00:00
throwing it into this category.
00:00
Command injection, which we'll talk about
00:00
later was one of the ones in 2017.
00:00
You can see that 78 is very similar to
00:00
that improper neutralization special elements
00:00
used in an OS command injection.
00:00
Very minute, very small changes between CWEs,
00:00
but now they've throwing everything into this.
00:00
You can also see cross-site scripting is now
00:00
in here, CW-80 CW-87.
00:00
We can also see that SQL injection was there
00:00
before CW-89 was in 2017,
00:00
it's still there in 2021
00:00
along with a whole bunch of other injections.
00:00
[inaudible] injection was talked about in 2017,
00:00
as you can see, it's still here in 2021.
00:00
I wanted to highlight this deprecated CWE-100.
00:00
I'm really not sure why lost included that.
00:00
In less than their data aggregation,
00:00
some people had mapped CWE-100 to whatever was found.
00:00
It's interesting to me that they would keep
00:00
a CWE that's deprecated,
00:00
but I wanted to call that out.
00:00
As you look through this list of
00:00
all the CWEs mapped to injection.
00:00
Again, CWE-564 was in 2017.
00:00
Is still here in 2021
00:00
along with a whole bunch of other CWEs.
00:00
We're rounding the corner here at
00:00
our 33rd, which is CWE-917.
00:00
Improper neutralization of special elements
00:00
using an expression language statement.
00:00
Expression language injection is there again now in 2021.
00:00
From a very high level,
00:00
what is in an injection attack?
00:00
Let's say that you come across a web form
00:00
that asks you for your contact information on a website.
00:00
If you enter your name,
00:00
if you enter your address and if you enter
00:00
your phone number and email and things like that,
00:00
is processed by an underlining back-end database.
00:00
Now let's say that data is processed in
00:00
an unsafe way where input is not sanitized.
00:00
You can enter raw SQL queries into
00:00
that form and interact directly
00:00
with the database. What does that mean?
00:00
That means perhaps if we're
00:00
sticking with the contact information,
00:00
if you want to use something like SQL map,
00:00
if you see it's vulnerable,
00:00
you can then enumerate the underlying databases.
00:00
You can also find things like usernames and
00:00
passwords depending
00:00
on what information is in the database.
00:00
Maybe there's a way to login to
00:00
this application and you're able to
00:00
find admin credentials and things like that.
00:00
The other dangerous thing I like to
00:00
talk a lot about impact.
00:00
The impact is really important
00:00
when we're talking to our stakeholders.
00:00
As the impact from
00:00
injection vulnerabilities, the impact,
00:00
if we're talking about SQL injection here specifically,
00:00
is again enumerating the underlying database,
00:00
but also being able to interact with it.
00:00
I can modify data.
00:00
I can delete data,
00:00
I can even put a shell.
00:00
If I can write data into the database,
00:00
maybe I can create
00:00
a web shell and then get onto the server itself.
00:00
You can do that also with things like command injection.
00:00
You can get on the server and do a whole bunch of
00:00
malicious things depending on
00:00
the permissions that you have.
00:00
That's why injection is such a series of
00:00
vulnerability is the impact and exploit-ability is
00:00
so high is that you can get onto the server
00:00
and interact directly with the database,
00:00
with the server and cause a bunch of damage.
00:00
In summary, I've explained the changes from
00:00
OW-ASP Top 10 2017 and even before that.
00:00
Because injection has been around for quite some time,
00:00
having the number 1 seat in the OWASP Top 10
00:00
now dropping down to number 3 in 2021.
00:00
I've also described the CWEs that now make up injection.
Up Next
Command Injection/SQL Injection
Demo: Command Injection
Demo: SQL Injection
Cross-Site Scripting (XSS)
Demo: Cross-Site Scripting
Instructed By
