Question

There are many different types of attacks that can happen to a web-based application. Find a unique case study using the OWASP Top 10 and explain how it could be done, how it affected the company and the system and how best to protect against these types of attacks.

Answer 1

OWASP - The Open Web Application Security Project is an international non profit organization dedicated to web application security.

OWASP Top 10 is a list of the 10 most dangerous current web application security flaws along with effective methods to handle these flaws. It is a regularly updated report put together by a variety of security experts from all over the world.

One of the top 10 security vulnerabilities is Injection Attack.

Injection attack occurs when untrusted data is send to an interpreter as part of a command or query and trick the interpreter into executing unintended commands and gives access to unauthorized data.

The SQL command which when executed by web application can also expose the back-end database. For example, an attacker could enter SQL database code into a form that expects a plain text username. If that form input is not properly secured, this could result in that SQL code being executed. This is known as SQL injection attack.

SQL injection is easy to implement. Tight deadlines, inexperienced developers and legacy code often result in variable code quality and security practices. A single vulnerable field in any form or API endpoint across a website that has access to a database may be sufficient to expose a vulnerability.

Implication

1. An attacker can inject malicious content into the vulnerable fields.

2. Sensitive data like username, passwords etc can be read from the database.

3. Database can be modified.

4. Administration operations can be executed on the database.

Consequences of SQL injection

1. Attackers can use SQL injections to find the credentials of other users in the database.

2. SQL injection can allow the attacker to gain complete access to all the data in the database server.

3. An attacker could use SQL injection to alter balances, void transactions or transfer money to their account.

4. An attacker could delete the data so that data will not be available until the database is restored.

5. an attacker could use SQL injection to attack the internal network behind a firewall.

Ways to prevent the SQL injection attacks

1. Update Regularly -It is essential to have updates regularly patched.

2.Use parameterized queries- This method forces the developers to first define all the SQL code and then to pass only the necessary parameters to the SQL query.

3. Escape all user supplied inputs- Escaping a character is the way of telling the database that not to parse it as a command but treat it as a literal.

4. Use of stored procedures- Stored procedures limit the risk associated with SQL injection by checking the type of input parameters and preventing the data that violates the type the field is designated to receive.

5. Enforce least privilege - Administrative accounts should in no instance be executing SQL commands as a result of a API call from an unauthorized request.

6. Web Application Firewall- A WAF can help to filter and find malicious data.