OWASP injection (noun) [Word Notes] - Hacking Humans

Summary4 min read

Podcast Summary: Hacking Humans – Episode: OWASP Injection (noun) [Word Notes]

Host: N2K Networks
Release Date: April 15, 2025
Description: Deception, influence, and social engineering in the world of cybercrime.

Introduction to OWASP Injection

In this episode of Hacking Humans, host Rick Howard delves deep into the topic of OWASP Injection, a critical vulnerability in the realm of web application security. Starting at the [00:53] mark, Howard begins by breaking down the acronym OWASP, which stands for Open Web Application Security Project, and explains the concept of injection as the introduction of malicious code into applications.

Understanding OWASP Injection

Howard defines OWASP Injection as a "broad class of attack vectors where an attacker supplies input to an application's command interpreter that results in unanticipated functionality" (00:53). He emphasizes that injection attacks are among the oldest and most perilous methods used to compromise web applications. These attacks exploit vulnerabilities where user inputs are not adequately validated, allowing attackers to manipulate the application's behavior.

Historical Context and Evolution of OWASP

The discussion traces back to 2003 when Dave Wickers and Jeff Williams from Aspect Security published an educational piece highlighting the top software security coding issues of that time. This publication eventually evolved into the OWASP Top 10, a seminal reference document that outlines the most critical security concerns for web applications. Today, OWASP is an international collective comprising tens of thousands of members and hundreds of chapters worldwide, all dedicated to enhancing application and API security.

OWASP 2021 Top 10 Vulnerabilities

Focusing on the OWASP 2021 Top 10, Howard identifies Injection as the third most critical vulnerability. He explains that the primary weakness exploited by hackers is the insufficient validation of user input by developers. This lack of validation allows attackers to send unexpected data to applications, leading to unauthorized access or data breaches. Howard cites OWASP, stating:

"Many organizations have poorly thought through security controls in place to prevent injection attacks. Vague recommendations for input validation and output encoding are not going to prevent these flaws." (00:53)

Types of Injection Attacks

While SQL Injection is the most well-known form, Howard elaborates on several other types of injection attacks, including:

Object Relational Mapping (ORM) Injection
OSCMD Injection
Object Graph Navigation Library (OGNL) Injection

Each of these exploits different aspects of application frameworks and data handling processes, but they all share the common thread of leveraging improperly sanitized inputs to execute malicious commands.

Mitigation Strategies

To combat injection vulnerabilities, Howard references OWASP's recommendation of designing applications to make injections impossible. This involves a comprehensive understanding of application data flow, command parsing, context management, and escaping mechanisms. He underscores the importance of keeping data separate from commands and queries as a fundamental design parameter.

For practical mitigation, OWASP advises building automation frameworks that can test user inputs before deploying code to production environments. Additionally, Howard highlights the availability of various security vendors who offer scanning products capable of identifying glaring and severe injection issues within codebases.

Expert Insight: Justin Collins on Injection Vulnerabilities

Adding depth to the discussion, Justin Collins, CEO of Brakeman, shares his expert perspective on injection vulnerabilities during the [04:10] segment:

"It's when we have data that gets interpreted as code, we have values that should be data, and you should not be executing data. But instead it happens and then we have an injection vulnerability. And that data could be things like query parameters, values from a form... these are all things that should be data and somehow they get interpreted as code instead... that's when we get an injection vulnerability." (04:10)

Collins emphasizes that any data input—be it query parameters, form values, header values, or uploaded files—should remain as data and must not be executed as code. This fundamental principle is crucial in preventing injection vulnerabilities across various programming languages and environments.

Conclusion

The episode of Hacking Humans provides a comprehensive overview of OWASP Injection vulnerabilities, highlighting their persistence as a significant threat in web application security. By examining the origins, types, and mitigation strategies associated with injection attacks, Rick Howard offers valuable insights for developers and security professionals aiming to safeguard their applications against such pervasive threats.

Notable Quotes:

Rick Howard [00:53]:

"Injection attacks are amongst the oldest and most dangerous hacks aimed at web applications origin and context."
Justin Collins [04:10]:

"It's when we have data that gets interpreted as code... that's when we get an injection vulnerability."

Credits:

Written by: Naila Genoe
Produced by: Peter Kilpe
Edited by: John Petrick and Rick Howard
Sound Design & Music: Elliott Peltzman

Note: This summary excludes advertisements, intros, outros, and non-content sections to focus solely on the substantive discussions regarding OWASP Injection vulnerabilities.

Loading summary

Transcript6 lines

[00:02]
Rick Howard
You're listening to the Cyberwire Network powered by N2K.
[00:13]
Peter Kilpe
Bad actors don't break in, they log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com.
[00:54]
Rick Howard
The word is OWASP injection spelled O for open, W for Web, A for application, S for security, P for project, and injection as in introducing code inappropriately. A broad class of attack vectors where an attacker supplies input to an application's command interpreter that results in unanticipated functionality. Example sentence injection attacks are amongst the oldest and most dangerous hacks aimed at web applications origin and context. Dave Wickers and Jeff Williams, working for Aspect Security, a software consultancy company, published an education piece in 2003 on the top software security coding issues of the day that eventually turned into the OWASP top 10, a reference document describing the most critical security concerns for web applications. Today, OWASP is an international team of security professionals led by the foundation executive director and top 10 project leader Andrew Vanderstock, dedicated to enabling organizations to develop, purchase and maintain applications and APIs that can be trusted. Today there are tens of thousands of members and hundreds of chapters worldwide in the OWASP 2021 Top 10 vulnerability list. Injection is number three, and the main weakness that hackers leverage is the developer's insufficient validation of user input. By sending applications data that the developer didn't plan for, hackers can retrieve sensitive information when or compromise the application altogether. Probably the most well known injection attack is SQL injection, but there are several others that include Object relational Mapping, OSCMD and Object Graph navigation library injections. According to owasp. Quote many organizations have poorly thought through security controls in place to prevent injection attacks. Vague recommendations for input validation and output encoding are not going to prevent these flaws. They recommend that the specific design goal should be making injections impossible, but that's way easier to say than to do. Developers have to understand the nuances involved in application data flow, command parsing, context, and escaping out of bad situations. With all of that in mind, the overall design parameter is keeping data separate from commands and queries. For mitigation, OWASP recommends building an automation framework that can test user input before code goes into production. There are also many security vendors who sell scanning products that can identify the most egregious and obvious injection issues in your code Nerd reference at the AppSec California 2018 conference, Justin Collins, the CEO of Brakeman, explains what injection is so.
[04:10]
Justin Collins
This is, I think, my definition. Maybe someone else has said this, but this is my succinct definition. It's when we have data that gets interpreted as code, we have values that should be data, and you should not be executing data. But instead it happens and then we have an injection vulnerability. And that data could be things like query parameters, values from a form. They could be values that come in as header values, files that are uploaded, stuff that comes out of the database. These are all things that should be data and somehow they get interpreted as code instead, as SQL or HTML or JavaScript or CSS or Bash or a specific programming language. That's when we get an injection vulnerability.
[05:04]
Rick Howard
Wordnotes is written by Naila Genoe executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.
[05:39]
Peter Kilpe
What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectre Ops. Head to SpectreOps IO today to learn more. Spectre Ops see your attack paths the way adversaries do.