Injections. I don’t know about you, but I’ve always had a fear of needles. But at least when you got an injection off the NHS, it tended to improve your health! Code injections on the other hand are far more malicious. Injection is used by an attacker to introduce (or "inject") code into a vulnerable computer programme and change the course of execution.
Once the code has been planted, Injection can result in data loss or corruption, lack of accountability, or denial of access. It can sometimes even lead to complete host takeover. That’s right, your computer network could turn into the equivalent of zombie, hijacked and with no self-control whatsoever. Scary, right?
There are plenty of steps you can take to protect yourself against such a potentially devastating threat. But there are three in particular that programmers or developers must put into practice:
- Using APIs (application programming interfaces) that, if used properly, are secure against all input characters. Be careful with APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.
- Using a “whitelist” to ensure that only particular inputs are allowed and everything else is denied.
- Disabling unsecure or unneeded functions on the server-side to minimise possible attack routes.
This can all get pretty technical but keeping a keen eye out for these kind of threats pays off handsomely. OWASP named code injections as their no.1 (!) threat to application-layer security. It takes a lot to get those guys worried; believe me, I’ve been to their seminars. Just last month, the popular web content management platform WordPress revealed a malicious code injection located in the platform’s REST API that had allowed unauthenticated attackers to modify the content of any post or page within a WordPress site. As you can imagine, such a powerful tool to manipulate content could easily destroy businesses, client relationships and reputations. But that’s not even the chilling part…
…They only found out about it because it had been discovered by a third-party security client that had been penetration testing their servers. That’s right – only a dedicated, dynamic team of professional counter-hackers had managed to locate the massive vulnerability that otherwise could have gone undetected for an obscene amount of time. Thankfully, WordPress had these measures in place and then proceeded to contact new firewall providers to make sure they were protected against new exploits. But as you can see, only constant vigilance and aggressive probing ensured that disaster didn’t follow. Are you as prepared? Because injections can be much more than just a pain in the arse.