Injection — OWASP A03:2021

Understanding Injection

What is Injection?

Injection is a critical security vulnerability and is listed as A03:2021-Injection in the OWASP Top 10, a standard awareness document for developers and web application security professionals. An Injection flaw occurs when an attacker can send hostile data to a web application, and the application's interpreter (such as a database engine, operating system shell, or programming language evaluator) mistakenly interprets that hostile data as part of a command or query rather than as simple, safe user input.

This flaw can trick the application into executing unintended commands or accessing sensitive data without proper authorization, potentially leading to severe consequences such as data loss, denial of service, or full system compromise.

How it Happens

A vulnerable application typically exhibits one or more of the following behaviors:

• It does not validate, filter, or sanitize user-supplied data, allowing attackers to inject malicious input directly.
• It uses dynamic queries or non-parameterized calls where hostile data is directly concatenated into commands, enabling execution of unintended instructions.

Common Types of Injection Attacks

• SQL Injection (SQLi)

  Attackers insert malicious SQL statements into input fields (like login or search forms). If the application executes these inputs directly without proper handling, the database may reveal, alter, or delete sensitive data, potentially compromising entire systems.

• Cross-Site Scripting (XSS)

  This occurs when attackers inject malicious client-side scripts (commonly JavaScript) into web pages. Users viewing the page will execute the script unknowingly, leading to session hijacking, credential theft, or UI manipulation. In OWASP Top 10:2021, XSS is consolidated under the broader Injection category due to its shared root cause of command/data confusion.

• OS Command Injection

  Attackers execute arbitrary operating system commands on the server hosting the application. This can provide full administrative access to the system, allowing attackers to read files, modify system configurations, or deploy malware.

• LDAP Injection

  Flaws in Lightweight Directory Access Protocol (LDAP) queries are exploited by injecting malicious input, enabling attackers to access, modify, or delete sensitive directory information that they should not have permissions for.

Prevention and Mitigation

Preventing Injection vulnerabilities requires careful separation of data and commands, employing multiple layers of security:

• Use Safe APIs with Parameterized Queries (Preferred): Utilize APIs that inherently avoid interpretation of input as commands, or employ parameterized interfaces like Prepared Statements or ORM tools. This ensures that user input is always treated strictly as data and never executed as part of a command.
• Positive Server-Side Input Validation (Allowlisting): Explicitly define acceptable inputs for each field, including allowed types, lengths, and formats. Reject any input that falls outside this strict definition to minimize attack vectors.
• Context-Aware Escaping: When dynamic queries are unavoidable, properly escape special characters specific to the interpreter in use. This prevents the interpreter from misinterpreting input as executable commands.
• Least Privilege Principle: Restrict database accounts and system permissions so that the application only has the minimum access necessary for its functionality. For example, a web application should not have permission to delete an entire database just to read user profile information.