- [ Security Auditing With the OWASP Top 10 ]
- [ Auditing With OWASP ] :: [ Introduction ]
- [ Auditing With OWASP ] :: [ Vulnerability A1: Injection ]
- [ Auditing With OWASP ] :: [ Vulnerability A7: Cross-Site Scripting XSS ]
Vulnerability A1: Injection
Remember to get the OWASP Proactive Controls for Developers:
https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf
Practice and Process
Open a browser tab to:
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Once you are there, do a search in the page to highlight all occurrences of injection. Scroll down to the HTML and CSS injections. Open and read those sections.
See this video on HTML injection:
https://www.youtube.com/watch?v=0M711nyRgn0
And this one from one of my favorite channels, HackerSploit:
https://www.youtube.com/watch?v=RoaL_ugswto
Scroll up to the SQL and Code injection links.
See HackerSploit again:
https://www.youtube.com/watch?v=rapaRJDO3vA
Use the video above to practice on bWAPP.
And:
https://www.youtube.com/watch?v=3ZFblGx5v94
which will also introduce you to sqlmap.
Finally: see the OWASP Guide:
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
SQL Parameter Injection
Get this cheat sheet on query parameterization:
https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html
The cheat sheet above has code examples for several languages, not including Python. For a good Python tutorial in this area see:
https://pynative.com/python-mysql-execute-parameterized-query-using-prepared-statement/
Use the code examples above to practice in Python.
Practice SQL injection on any target below.
Find a Python site to practice on.
Targets for Testing the OWASP Top 10 Vulnerabilities
Root-me.org
https://www.root-me.org/en/Challenges/Web-Client/
HackThisSite
https://www.hackthissite.org/
Mutillidae (included in Metasploitable2)
DVWA: Damn Vulnerable Web App
bWAPP:
https://sourceforge.net/projects/bwapp/files/bee-box/