The OSCP journey will take you through the labs, through the written material, and finally through the test. It will reveal many types of vulnerabilities against web applications and services like Active Directory and FTP. Today’s focus is on injections, which are one of the most dangerous and prevalent web app vulns. This is a highlight of the OSCP content.
Injections can be so dangerous that they are a regular on the OWASP Top Ten. The 2021 edition of the Top Ten is no exception. While you’ll learn how to exploit these vulnerabilities in your OSCP laboratories, a heads-up is always appreciated. Let’s get into the three main types, but first let’s learn a little about the infosec landscape. We will be focusing on the OWASP Top 10 instead.
What’s the big deal about the OWASP Top Ten
Cross-site scripting, SQL injections, and SQL injections are two of the most common OWASP Top Ten. But what exactly is this list? And why should you care about what’s on it. The OWASP Top Ten ranks internet’s most serious security threats. If you are interested in the OSCP, then you probably have long-term goals for an infosec career. The Top Ten is a valuable source of information that will be invaluable throughout your career.
OWASP is the Open Web Application Security Project. It is a non-profit foundation that works to improve software security. It aims to inform and train engineers through a variety of community and industry outreach.
The OWASP Top Ten is one of their most prominent projects. It draws on the experiences and observations of security professionals around the world. The list was compiled from the experiences of infosec gurus worldwide. It ranks vulnerabilities according to their severity and impact and how often they occur across the internet. This list is widely used in the infosec industry as a standard for what vulns should be on high alert for.
Any infosec or development team can easily access the most common risks and make use of this tribal knowledge to create a regularly updated list. They can adapt best practices and better weigh the risks as security conditions change. This will hopefully lead to a safer internet and a reduction in security incidents and breaches that are front page worthy.
There are ten things to be aware of on the list. Each item on this list contains a lot of information about how the vulnerability works, how it is commonly exploited and how to protect yourself against it. You can also find cheat sheets and attack examples to help you detect it. This page focuses on broken access control. It is not difficult to prepare, study, and absorb all of the information available on a single topic.
This is the real value of the OWASP Top Ten, aside from identifying the most dangerous issues on the internet today. It is amazing how much education and reference material can be compiled and given away free of charge.
It can be difficult to know where to begin. OWASP is here to help. This page explains how to use the Top Ten as security standards and how to build an AppSec program that is based on the Top Ten. This is great and very actionable information that will help you put your collective knowledge about the 10 deadly vulns into practice with your team.
Cross-site scripting
Let’s get to the first of our three injection types: cross-site scripting. Originally, XSS was a separate item on the OWASP Top Ten. However, starting with the 2021 list, it was moved to the injections category.
XSS allows malicious code to be injected into a site’s body and then executed by an unwitting user. This attack is common as it can be used on any site that receives input.
OSCP and Web Apps – What are Injections?