This content is viewable by Everyone

Web Application Security: OWASP

Save

Owner Team: IT Security
Service:
Application and Website Security

Overview

The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations and individuals from around the world.

This community works to create freely-available articles, methodologies, documentation, tools and technologies. As demonstrated here, they are also an excellent resource for web application security information.

OWASP: The most common types of attacks on web applications

OWASP: Cross-site scripting (XSS)

Cross-site scripting (XSS) attacks are a type of injection problem.
- Malicious scripts are injected into otherwise benign and trusted websites.
In an XSS attack, an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Flaws that allow these attacks to succeed are very widespread.
- They can occur anywhere a web application uses input from a user in the output it generates, without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user.
- The end user’s browser has no way to know that the script should not be trusted, so it executes the script.
- Because the end user's browser thinks the script came from a trusted source, the malicious script can access any cookies, session tokens or other sensitive information retained by the browser and used with that site.
- These scripts can even rewrite the content of the HTML page.

OWASP: SQL injection

An SQL injection attack consists of insertion or "injection" of an SQL query via the input data from the client to the application.
SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
A successful SQL injection can:
- Read sensitive data from the database
- Modify database data (Insert/Update/Delete)
- Execute administration operations on the database (e.g., shut down the DBMS)
- Recover the content of a given file present on the DBMS file system
- In some cases, issue commands to the operating system

OWASP: Blind SQL injection

When an attacker executes an SQL injection attack, sometimes the targeted server responds with an error message from the database server, complaining that the SQL query's syntax is incorrect.
Blind SQL injection is identical to "normal" SQL injection except that when the attacker attempts to exploit an application, instead of getting a useful error message, they get a generic page specified by the developer.
- This makes exploiting an SQL Injection attack more difficult, but not impossible. An attacker can still steal data by asking a series of true-or-false questions through SQL statements.

How to avoid SQL injection vulnerabilities

See the OWASP Development Guide article on how to Avoid SQL Injection vulnerabilities.
See the OWASP SQL Injection Prevention Cheat Sheet.

How to review code for SQL injection vulnerabilities

See the OWASP Code Review Guide article on how to Review Code for SQL Injection vulnerabilities.

How to test for SQL injection vulnerabilities

See the OWASP Testing Guide article on how to Test for SQL Injection vulnerabilities.

OWASP: Attacks on Server Side Includes (SSI)

SSIs are directives present on web applications used to feed HTML pages with dynamic contents.
They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized.
- In order to do so, the web server analyzes SSI before supplying the page to the user.
An SSI attack allows exploitation of a web application by injecting scripts into HTML pages or executing arbitrary codes remotely.
It can exploit the application by manipulating SSI in use or forcing its use through user-input fields.