A1 Risk in OWASP - Injection
In our post What is OWASP and why every developer should know it we saw an introduction to OWASP and why it is so important in the development of web applications. Within the TOP TEN project, we will delve a little into each of the ten most critical security risks in web applications. Today is the turn of Risk A1 - Injection.
Examples
- Perform a console by user ID obtained through GET without any validation or prepared statement to the database engine.
- Perform user login validation if a prepared statement allows the attacker to enter.
Prevention
- All data entered by the user in the application on the client and on the server side must be validated.
- Any special character must be escaped using the interpreter-specific escape syntax so that the code is not interpreted and executed.
- Validations must be performed using whitelists on the server side, at the service or application level, detecting whether malicious code has been entered by the user.
- The use of LIMIT/TOP in SQL should be employed to minimize data leakage in case of SQL injection.