- [ Security Auditing With the OWASP Top 10 ]
- [ Auditing With OWASP ] :: [ Introduction ]
- [ Auditing With OWASP ] :: [ Vulnerability A1: Injection ]
- [ Auditing With OWASP ] :: [ Vulnerability A7: Cross-Site Scripting XSS ]
Vulnerability A1: Injection
Remember to get the OWASP Proactive Controls for Developers:
Practice and Process
Open a browser tab to:
Once you are there, do a search in the page to highlight all occurrences of injection. Scroll down to the HTML and CSS injections. Open and read those sections.
See this video on HTML injection:
And this one from one of my favorite channels, HackerSploit:
Scroll up to the SQL and Code injection links.
See HackerSploit again:
Use the video above to practice on bWAPP.
which will also introduce you to sqlmap.
Finally: see the OWASP Guide:
SQL Parameter Injection
Get this cheat sheet on query parameterization:
The cheat sheet above has code examples for several languages, not including Python. For a good Python tutorial in this area see:
Use the code examples above to practice in Python.
Practice SQL injection on any target below.
Find a Python site to practice on.
Targets for Testing the OWASP Top 10 Vulnerabilities
Mutillidae (included in Metasploitable2)
DVWA: Damn Vulnerable Web App