Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/29/2018
02:00 PM

7 Ways an Old Tool Still Teaches New Lessons About Web AppSec

Are your Web applications secure? WebGoat, a tool old enough to be in high school, continues to instruct.
2 of 8

Code Injection
Sending unauthorized SQL, LDAP, OS, or other commands to a receiving system through commands tied to websites (usually, as part of a URL) is this year's No. 1 security risk, just as it was in 2013. While the concept is simple, seeing injection in action can make it clear just how powerful an attack vector a browser's address bar can be.
In many cases, injection works because an attacker sends a URL that should return an error, or null response, but instead is interpreted by the application and returns unauthorized data. A well-written and thoroughly vetted Web application will refuse to interpret these illicit instructions, but legacy code or quickly written applications can pass instructions to the back-end server and valuable information to the attacker.
Understanding how code injection works - and what specific attacks look like - can help security professionals and developers alike better protect against the threat. It's the first lesson many people learn from WebGoat - and it remains a valuable study for everyone.
(Image: OWASP)

Code Injection

Sending unauthorized SQL, LDAP, OS, or other commands to a receiving system through commands tied to websites (usually, as part of a URL) is this year's No. 1 security risk, just as it was in 2013. While the concept is simple, seeing injection in action can make it clear just how powerful an attack vector a browser's address bar can be.

In many cases, injection works because an attacker sends a URL that should return an error, or null response, but instead is interpreted by the application and returns unauthorized data. A well-written and thoroughly vetted Web application will refuse to interpret these illicit instructions, but legacy code or quickly written applications can pass instructions to the back-end server and valuable information to the attacker.

Understanding how code injection works and what specific attacks look like can help security professionals and developers alike better protect against the threat. It's the first lesson many people learn from WebGoat and it remains a valuable study for everyone.

(Image: OWASP)

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0173
PUBLISHED: 2019-08-19
Authentication bypass in the web console for Intel(R) Raid Web Console 2 all versions may allow an unauthenticated attacker to potentially enable disclosure of information via network access.
CVE-2019-11140
PUBLISHED: 2019-08-19
Insufficient session validation in system firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVE-2019-11143
PUBLISHED: 2019-08-19
Improper permissions in the software installer for Intel(R) Authenticate before 3.8 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-11145
PUBLISHED: 2019-08-19
Improper file verification in Intel? Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-11146
PUBLISHED: 2019-08-19
Improper file verification in Intel? Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access.