Injection was previously on the first position on OWASP 10. However, in 2021 OWASP rated this to the third position. 94% of tested applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%, and 274k occurrences.
An application is vulnerable to attack when:
- User-supplied data is not validated, filtered, or sanitized by the application.
- Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
- Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
- Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.
Notable Common Weakness Enumerations (CWEs):
- CWE-79: Cross-site Scripting
- CWE-89: SQL Injection
- CWE-73: External Control of File Name or Path
- and many more ...
Examples of CVEs :
Login Bender- Log in with Bender's user account- Use domain name and user name - (find domain name in application-configuration)
- You are familiar with the vulnerability in the e-mail field
Login Jim- Log in with Jim's user account.- Hint injection vulnerability in the search box
- A user table named User with columns id,email,password exist
Expired coupon- Successfully redeem an expired campaign coupon codePayback time- Place an order that makes you rich
OWASP's Injection prevention - injection prevent rules :
- Rule #1 (Perform proper input validation)
- Rule #2 (Use a safe API)
- Rule #3 (Contextually escape user data)
Other relevant cheat sheets: