OWASP Top 10 Part 1: Code Injection
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Here we are, OWASP top 10.
00:00
Risk number one, code injection.
00:00
In this lesson, we're going to talk about
00:00
the risk of code injection,
00:00
talk about the impact of code injection,
00:00
and then we're going to talk about
00:00
>> many of the techniques
00:00
>> used to address code injection in web applications.
00:00
>> What is code injection?
00:00
Well, as the name implies,
00:00
it is when malicious code is entered in
00:00
either to a field or a vector,
00:00
or different elements or parameters
00:00
>> that are either external or internal
00:00
>> to a web service or web page.
00:00
>> The reason that I think
00:00
this one is so high up there is that,
00:00
whenever you're using a web application,
00:00
there's going to be fields.
00:00
You need to have the web application take in data,
00:00
and as a result, plenty of opportunities
00:00
for code injection can accidentally be introduced.
00:00
There's always a code injection risk or possibility
00:00
anytime a web application is taking in untrusted data.
00:00
Unless there are limits regarding the amount of data,
00:00
the type of characters
00:00
that can be put into particular fields,
00:00
a threat actor can put in a malicious code
00:00
>> within whatever series of strings or data
00:00
>> they're putting into the web application.
00:00
This is particularly problematic
00:00
when it comes to legacy or
00:00
older code or applications that may not be tested.
00:00
The impact of code injection is pretty significant.
00:00
Loss of confidentiality, loss of integrity,
00:00
loss of availability, you name it.
00:00
Basically, once that malicious command
00:00
can be put directly into the web application,
00:00
the threat actor can really do all kinds of damage
00:00
>> when it comes to retrieving information,
00:00
>> getting the command to execute
00:00
and retrieve data from databases.
00:00
They may be able to escalate their own privilege
00:00
>> and gain access to the network
00:00
>> by getting that command to run.
00:00
>> Thankfully, code injections are fairly easy to detect.
00:00
They can really be easily discovered
00:00
>> by doing good analysis of the code,
00:00
>> as well as many of the testing methods
00:00
>> such as scanning and fuzzing.
00:00
>> We're going to talk about a little bit later.
00:00
Another very important means of
00:00
addressing code injection is having input validation.
00:00
This basically checks the information
00:00
that's being put into a particular field
00:00
>> to ensure that the amount of data isn't too long
00:00
>> or may contain characters that
00:00
are prohibited or associated with malicious injections.
00:00
All right, quiz question.
00:00
The risk of code injection can be
00:00
mitigated through which of the following?
00:00
One, input validation,
00:00
>> two, process isolation,
00:00
>> three, special character requirements.
00:00
If you said input validation, you're correct.
00:00
Because this attack really requires the input of
00:00
>> potentially a long string of malicious code,
00:00
>> having the field input checked for its parameters
00:00
>> and potentially containing malicious elements
00:00
>> is really one of the best ways to do this.
00:00
>> However, it can be difficult because
00:00
>> there are so many different fields that are required
00:00
>> and you're always going to be taking in data.
00:00
It's a necessity to really have
00:00
a working web application.
00:00
However, through vigilant testing
00:00
and effective code review,
00:00
it's fairly straightforward to detect and
00:00
identify any code injection vulnerabilities.
00:00
In summary, we talked about what code injection is,
00:00
inputting in a malicious command
00:00
into a string or a field.
00:00
We talked about the impact of the exploit
00:00
>> that code injection really can be
00:00
>> used to do a whole host of bad things,
00:00
>> whether it's extracting data,
00:00
>> or corrupting a system,
00:00
>> or getting unauthorized access
00:00
>> and then really covering the effects.
00:00
Then we talked of the methods
00:00
>> to address code injection,
00:00
>> namely input validation,
00:00
>> but also effective code review and security testing.
00:00
>> All right, we've got a lot more vulnerabilities to go.
00:00
I'll see you in the next lesson.
Up Next
Instructed By
Similar Content
