I've been seeing the acronym OWASP floating around a bit now, in relation to software testing, and thought I would write a blog post in what I have learnt about it.
OWASP stands for the Open Web Application Security Project
This is a non profit organisation who are dedicated to improving the security of software.
Their website found at https://owasp.org/ describes their organisation below.
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
The main principle behind OWASP is that everything from information and materials are free and easily accessed on the website.
OWASP Top 10
Every 2/3 years OWASP produce a top 10 list of common web application security issues/ risks.
The last was in 2017, and the complete list can be found on their website here
The top 10 are as follows…
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialisation
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
Looking at the past OWASP top 10’s the top 5 tend to be the most common year on year.
What is Injection?
Author: Jeff Williams Contributor(s): Jmanico, kingthorin Injection Theory
Injection is an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter. For example, the most common example is SQL injection, where an attacker sends “101 OR 1=1” instead of just “101”. When included in a SQL query, this data changes the meaning to return ALL records instead of just one. There are lots of interpreters in the typical web environment, such as SQL, LDAP, Operating System, XPath, XQuery, Expression Language, and many more. Anything with a “command interface” that combines data into a command is susceptible. Even XSS is really just a form of HTML injection.Frequently these interpreters run with a lot of access, so a successful attack can easily result in significant data breaches, or even loss of control of a browser, application, or server. Taken together, injection attacks are a huge percentage of the serious application security risk. Many organizations have poorly thought through security controls in place to prevent injection attacks. Vague recommendations for input validation and output encoding are not going to prevent these flaws. Instead, we recommend a strong set of controls integrated into your application frameworks. The goal is to make injections impossible for developers.
Other injections/ commands/ documents that might allow for injection are including (but not exclusive to)
SQL queries
LDAP queries
Operating system command interpreters
Any program invocation
XML documents
HTML documents
JSON structures
HTTP headers
File paths
URLs
A variety of expression languages
This is something I have been learning about on TryHackMe, I’ve a long way to go but will continue to investigate security in testing as my career develops.