Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £29.99 £19.99. New subscribers only. T&Cs apply

Find out more

Threat Analysis Cont.

This video explains why injection threats are dangerous and what you need to consider when trying to find the source of an attack.
Every data source represents a potential attack vector. Environment variables are something we tend to assume to be safe, but on a compromised system, they are as critical as any other data input. Parameters are more obvious since they come from the client side. Whether they are provided by a user on a web forum or by a native mobile app, always keep in mind that they are all external to the system. The same is valid for web services and third party services in general. Even services provided by big corporations are subjects of attacks. Handle data gathered from third parties as being potentially harmful. Users are, most of the time, the main system actors.
Whether they are external or internal to the organization, keep in mind that there are different motivations, and that they can change over time. We can just focus on the technical impact since the business impact is specific to the business, and each organization will have to decide how much security risk it is willing to accept. As we have seen, injections may lead to unauthorized access to the system. Depending on the attack motivation and application functioning, injections may give attackers read-only access to the internal data or read-write access leading to complete data loss or corruption. If attackers are able to compromise authentication or authorization systems, then you may lose access to the application.
In the worst case, you may even lose control over the system servers. Threats agents are application and business specific. To identify who the threat agents are, you should ask yourself a few questions. Focus on the impact to enumerate who would benefit from compromising the system. To whom is your data valuable? Innumerate profiles of who has the knowledge to perpetrate the attack and what benefit they take from it. Don’t forget to look inside your organization. Sometimes, we are too much focused on external threats, and then the attack comes from the inside. You’ll find this table in the OWASP Top 10. Pause the video and take your time to carefully read it.
In the next part, we will exploit an injection flaw in our intentionally vulnerable application.

In the last video, you learned about injection flaws, and you now understand that every data source is a potential attack target. This video explains why injection threats are dangerous and what you need to consider when trying to find the source of an attack.

You will learn more about how a system can be damaged through injection threats. When you think about why your system is attacked, you need to consider the value of the data that was compromised – who would it be valuable to, and why? These concepts will be discussed in greater detail.

Investigate and share: Go to OWASP Injection Threats and read the details about injection threats. If there is anything that is unclear, share your questions here, and try to respond to other users’ questions.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now