[ Auditing With OWASP ] :: [ Class 2: Injection ]

Vulnerability A1: Injection

Remember to get the OWASP Proactive Controls for Developers:
https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf

Practice and Process

Open a browser tab to:
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

Once you are there, do a search in the page to highlight all occurrences of injection. Scroll down to the HTML and CSS injections. Open and read those sections.

See this video on HTML injection:
https://www.youtube.com/watch?v=0M711nyRgn0

And this one from one of my favorite channels, HackerSploit:
https://www.youtube.com/watch?v=RoaL_ugswto

Scroll up to the SQL and Code injection links.

See HackerSploit again:
https://www.youtube.com/watch?v=rapaRJDO3vA

Use the video above to practice on bWAPP.

And:
https://www.youtube.com/watch?v=3ZFblGx5v94
which will also introduce you to sqlmap.

Finally: see the OWASP Guide:
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

SQL Parameter Injection

Get this cheat sheet on query parameterization:
https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html

The cheat sheet above has code examples for several languages, not including Python. For a good Python tutorial in this area see:
https://pynative.com/python-mysql-execute-parameterized-query-using-prepared-statement/

Use the code examples above to practice in Python.

Practice SQL injection on any target below.

Find a Python site to practice on.

Targets for Testing the OWASP Top 10 Vulnerabilities

Root-me.org
https://www.root-me.org/en/Challenges/Web-Client/

HackThisSite
https://www.hackthissite.org/

Mutillidae (included in Metasploitable2)

DVWA: Damn Vulnerable Web App

bWAPP:
https://sourceforge.net/projects/bwapp/files/bee-box/

Series Navigation<< [ Auditing With OWASP ] :: [ Class 1: Beginning ]

Leave a Reply