Dark Reading reported in early May of this year that injection attacks are on the rise again. Injection attacks were also number one on the OWASP (Open Web Application Security Project) Top Ten for 2011. The OWASP Top Ten project describes itself as “a broad consensus about what the most critical web application security flaws are.” So if injection is number one, it seems important to understand.
The basic idea behind injection attacks is simple: the malicious user enters data into a web site that is designed to be sent to software instead of just being data. What? Consider this: what if, in addition to adding your name to a list those entering a contest, you could put extra characters after your name that would remove everyone else on the list? Clever, huh? Well, maybe, but surely not ethical and not what the software designers intended!
The major problem is that software designers, myself included, by the way, sometimes neglect to account for all possibilities. In fact, that would be very difficult (I’ll explain the basic solution in a moment). Part of the reason is our education. In school we are often assigned to “write a program to do ‘x’.” We do that, the teacher or professor or grader evaluates that program by providing known input and checking the result. The student does not have time to write code to ensure that the code is safe, and there is no grading process to evaluate it for safety, either. To be fair, sometimes code is evaluated this way, and some people do teach the right way to do things, but it is less common than it should be.
The first thing we need to do is to create an attitude around making code safe. It needs to start early. With people learning to write software as early as elementary school in some cases we need to start with those teachers, getting them to start the children thinking about coding safely. I know it will be awkward and difficult, but frankly, the bad habits they are learning there are hard to undo in high school or at university. We do need to emphasize that safety aspect through high school and university, though. Professionals need to be reminded of it repeatedly throughout their careers, too.
OK, so how do we avoid injection attacks? Well, there are multiple ways depending on the environment. For SQL injection (an injection attack on a database using Structured Query Language), we can use simple techniques to prevent them. The thing is, with SQL and other types of injection, the techniques are specific to the environment and particular programming languages. The OWASP project has a wonderful video on the topic of injection attacks in general and defenses, as well as guidance on where to look for more information. Watch the video and post your comments or questions about it below.