Welcome to the third episode of our Security Culture Campaign! On today’s show Matt Konda talks Injection, which is a serious class of vulnerability that can happen in any language.

Click here for the associated YouTube video.

Injection happens when user inputted data is treated as part of an OS command or part of a query - usually through string concatenation.

As developers, we need to apply appropriate controls. Strict input validation is always recommended but in addition we need to do one or more of the following to prevent injection in various parts of our apps:

Parameterize queries

Decouple user input from real file system paths

Use shell encoding

Injection resources include:

The OWASP Top 10: #1 Injection

Sqlmap

Metasploit

Query Parameterization Cheat Sheet

Testing for Command Injection

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.