OWASP Top 2 Vulnerabilities
In an injection attack, an attacker supplies malicious input to an application. This malicious input is then interpreted as a execute command or query, therefore alternating the execution of the program.
Most of the injection attack allow attackers to spoof identity, temper with existing data and hence leading to data thief, data loss, loss of data integrity, denial of service as well as full system compromise.
What makes injection vulnerabilities particularly scary is that injection attacks are a very well known vulnerability class, there are many freely available tools and cheat sheets that allow even inexperienced attackers to abuse these vulnerabilities.
Most Common Injection Attack - SQL Injection (SQLi)
SQL (Structured Query Language) is widely used to communicate with a database. It is a standard language for storing, manipulating and retrieving data in databases. However, most of the webpages work with at least one database at the back. When a user type some input into the page, it is going to send a request down to the database whether it is to add, alter or validate input.
SQLi occurs when the user input is not validated, filtered, or sanitized. Hence attackers can supply malicious query to the page and trick the backend database to alter or return the data stored in the database.
Form submissions aren’t the only input that come from browsers, SQLi can also happen in URL. One way to know the URL is susceptible to SQLi is inserting ‘ or %27 just after the parameters’ number and press enter. If a SQL Error appears there is some probability that the website is injectable.
Preventing injection requires keeping data separate from commands and queries. All forms of input must be sanitized, not only web form inputs such as login forms to remove potential malicious code elements such as single quotes.
Many website require users to login to access their accounts, make a purchase or posting. Most of it are done by providing a username/email and password. With this info, a site will assign and send each logged in visitor a unique session ID that serves as a key to the user’s identity. Broken Authentication is a type of weaknesses that allow an attacker to either capture or bypass the authentication methods that are used by a web application, allowing attacker to impersonate the target.
When a user sign in to a website, the site uses a proprietary algorithm to generate a unique session ID used as a key to authenticate the user’s identity for the remainder of their login session. The given session ID has to be sent back and forth between a client and the server. If that information is not encrypted properly, there is a fair chance that an attacker would intercept the session ID and impersonate the user, this method is also known as Man in the Middle Attack.
A attacker would also use automated attacks such as credential stuffing, the use of lists of known passwords, to brute-force into the right combination of username and password to gain access to a user’s account. If an application does not implement automated threat or credential stuffing protections, the application can be used as a password oracle to determine if the credentials are valid.
Multifactor Authentication
Multifactor Authentication is designed to prevent broken authentication. Instead of only providing username and password, an application uses machine learning to identify suspicious activities. If a login attempt is classified as suspicious, multi factor authentication such as SMS verification, Email verification or any other authentication method is required to proceed.