Injection in OWASP Top 10

Injection occurs when applications send untrusted user input to an interpreter as part of a command or query. When input is not properly validated or sanitized, attackers can execute malicious code, manipulate database queries, or access unauthorized data.

This vulnerability happens due to improper input validation and insecure coding practices
Includes SQL injection, command injection, LDAP injection, and XSS
Often results from directly concatenating user input into queries
Can lead to data breaches, authentication bypass, and full system compromise

Common Causes of Injection

1. Lack of Input Validation

Applications fail to validate or sanitize user input before processing it.
Attackers can insert malicious characters that change query behavior.

2. Dynamic Query Construction

User input is directly concatenated into SQL or system commands.
This allows attackers to modify the structure of the original query.

3. Absence of Parameterized Queries

Developers do not use prepared statements or parameterized queries.
The application cannot distinguish between code and user-supplied data.

4. Poor Error Handling

Detailed database or system errors are displayed to users.
Attackers use these errors to craft more precise injection payloads.

5. Insecure Deserialization or API Handling

APIs process user-controlled data without proper filtering.
Malicious payloads can manipulate backend logic.

Real-World Examples

A login query is constructed like this:

SELECT * FROM users WHERE username = 'admin' AND password = '1234';

Attacker inputs:

' OR '1'='1

The query always evaluates as true, allowing authentication bypass.

Example 2: Command Injection

An application runs a system command:

ping 127.0.0.1

Attacker inputs:

127.0.0.1; cat /etc/passwd

The server executes both commands, exposing sensitive files.

Example 3: Cross-Site Scripting (XSS)

A comment field accepts input without sanitization:

<script>alert('Hacked')</script>

When another user loads the page, the malicious script executes in their browser.

Impact of Injection

Injection vulnerabilities can cause severe technical and business damage.

Unauthorized Data Access: Attackers retrieve sensitive records from databases.
Authentication Bypass: Login mechanisms are defeated.
Data Modification or Deletion: Databases can be altered or wiped.
Remote Code Execution: Attackers execute system-level commands.
Compliance Violations: Breaches may violate GDPR, PCI-DSS, or other standards.
Reputation & Financial Loss: Trust damage, lawsuits, and regulatory fines.

How Attackers Exploit Injection

Attackers focus on input fields, query construction flaws, and exposed backend systems.

1. SQL Injection

Attackers manipulate SQL queries using special characters like ', ", --, or ;.
Example: Extracting all user records from a database.

2. Command Injection

Attackers append malicious OS commands to input fields.
Example: Executing rm -rf / on a vulnerable server.

Attackers infer information by observing application behavior instead of error messages.
Example: Determining database structure through response timing.

Stored XSS Injection

Malicious scripts are stored in the database and executed when other users access the page.
Example: Session cookies stolen from logged-in users.

Automated Exploitation

Attackers use tools to automate injection discovery and exploitation.
Example: SQLMap extracting entire databases.

Prevention of Injection

1. Use Parameterized Queries

Use prepared statements to separate code from data.
Never concatenate user input directly into queries.

2. Input Validation & Sanitization

Allow only expected input formats (whitelisting).
Reject special characters where not required.

3. Implement Proper Error Handling

Do not expose database or system errors to users.
Log errors securely on the server side.

4. Apply Least Privilege Principle

Database accounts should have minimal required permissions.
Even if injection occurs, damage is limited.

5. Use Web Application Firewalls (WAF)

Deploy WAFs to detect and block common injection payloads.

6. Output Encoding

Encode output to prevent browser-based injection attacks such as XSS.

Injection in OWASP Top 10

Common Causes of Injection

1. Lack of Input Validation

2. Dynamic Query Construction

3. Absence of Parameterized Queries

4. Poor Error Handling

5. Insecure Deserialization or API Handling

Real-World Examples

Example 2: Command Injection

Example 3: Cross-Site Scripting (XSS)

Impact of Injection

How Attackers Exploit Injection

1. SQL Injection

2. Command Injection

Blind Injection

Stored XSS Injection

Automated Exploitation

Prevention of Injection

1. Use Parameterized Queries

2. Input Validation & Sanitization

3. Implement Proper Error Handling

4. Apply Least Privilege Principle

5. Use Web Application Firewalls (WAF)

6. Output Encoding

Explore

Injection in OWASP Top 10

Common Causes of Injection

1. Lack of Input Validation

2. Dynamic Query Construction

3. Absence of Parameterized Queries

4. Poor Error Handling

5. Insecure Deserialization or API Handling

Real-World Examples

Example 1: SQL Injection Login Bypass

Example 2: Command Injection

Example 3: Cross-Site Scripting (XSS)

Impact of Injection

How Attackers Exploit Injection

1. SQL Injection

2. Command Injection

Blind Injection

Stored XSS Injection

Automated Exploitation

Prevention of Injection

1. Use Parameterized Queries

2. Input Validation & Sanitization

3. Implement Proper Error Handling

4. Apply Least Privilege Principle

5. Use Web Application Firewalls (WAF)

6. Output Encoding

Explore