‘Hackers are having a field day with cheap smart appliances?’, ‘Facebook data from 3 million Belgians sloshing about on the internet’, ‘Client data of Dutch and Belgian online shoppers put up for sale on the internet’, ‘Cyberattack on Defence Ministry and PM’s websites’, … The list of articles related to application security and data protection is getting longer every day. It is, more than ever, a hot topic for developers and testers to secure applications against malicious practices. To keep up with the latest developments in security risks and solutions, we can highly advise the OWASP standards.
OWASP whut?
Firstly, what is OWASP? Open Web Application Security Project, also known as OWASP, is an open-source project that provides free information on application security. The OWASP foundation describe themselves as:
“A nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”
Every few years OWASP releases a top 10 of vulnerabilities, a broad consensus about the most critical security risks to (web) applications. It’s an ‘awareness’ document for companies to include in their processes, in order to minimize the risks. To better understand the subject, let’s look at an example.
For example: ‘injection’
One of the items in the top 10 is ‘injection’. Let’s say you are using a website and you click on a product. In the background, the application can send a SQL query to the database like this:
SELECT Product_Name, Product_Description
FROM Products
WHERE Product_id = 123
In this case, the user will receive the name and description of the product with id 123. Pretty straightforward. Now, let’s assume that you intercept that query, slightly modify it and send it to the database like this:
SELECT Product_Name, Product_Description
FROM Products
WHERE Product_id = 123 OR 1 = 1
In the above case, we have added the ‘OR 1=1’ statement to the query. One equal to one is always true. So if we send that query to the database, we would get a list of ALL the products. Even items that were maybe hidden or not available to our user profile.
And we could even be more creative. Let’s say we would again modify the existing query and merge it with another query:
SELECT Product_Name, Product_Description
FROM Products
WHERE Product_id = 123 UNION SELECT Username, Password FROM Users
By adding the additional Union query, we could get a hold of all the usernames and passwords of the application. Or we could just as easily ‘DROP’ a table and by doing so, make the application fail.
The essence
Without going into detail on how to protect your application against these different kinds of attacks, it is clear that developers and testers need to be aware of these risks. They should know how to secure applications against them.
At Brightest we are investing a lot in our security solution. We strongly believe we can deliver better quality if the vulnerabilities of the application are also tested and secured. If you want to know more about this topic, please contact us or register for our training on web application security.