>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

A05Injection

>Control Description

Injection falls two spots from #3 to #5 in the ranking, maintaining its position relative to A04:2025-Cryptographic Failures and A06:2025-Insecure Design. Injection is one of the most tested categories with 100% of applications tested for some form of injection. It had the greatest number of CVEs for any category, with 37 CWEs in this category. Injection includes Cross-site Scripting (high frequency/low impact) with more than 30k CVEs and SQL Injection (low frequency/high impact) with more than 14k CVEs. The massive number of reported CVEs for CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') brings down the average weighted impact of this category. An injection vulnerability is an application flaw that allows untrusted user input to be sent to an interpreter (e.g. a browser, database, the command line) and causes the interpreter to execute parts of that input as commands. An application is vulnerable to attack when: * User-supplied data is not validated, filtered, or sanitized by the application. * Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter. * Unsanitized data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. * Potentially hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures. Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection. The concept is identical among all interpreters. Detection is best achieved by a combination of source code review along with automated testing (including fuzzing) of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs. The addition of static (SAST), dynamic (DAST), and interactive (IAST) application security testing tools into the CI/CD pipeline can also be helpful to identify injection flaws before production deployment. A related class of injection vulnerabilities has become common in LLMs. These are discussed separately in the [OWASP LLM Top 10](https://genai.owasp.org/llm-top-10/), specifically [LLM01:2025 Prompt Injection](https://genai.owasp.org/llmrisk/llm01-prompt-injection/).

>Prevention & Mitigation Strategies

  1. 1.The preferred option is to use a safe API, which avoids using the interpreter entirely, provides a parameterized interface, or migrates to Object Relational Mapping Tools (ORMs).
  2. 2.Use positive server-side input validation. This is not a complete defense as many applications require special characters, such as text areas or APIs for mobile applications.
  3. 3.For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter.

>Attack Scenarios

#1SQL injection via string concatenation

An application uses untrusted data in the construction of the following vulnerable SQL call: ``` String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; ``` An attacker modifies the 'id' parameter value in their browser to send: `' OR '1'='1`. For example: ``` http://example.com/app/accountView?id=' OR '1'='1 ``` This changes the meaning of the query to return all records from the accounts table. More dangerous attacks could modify or delete data or even invoke stored procedures.

#2HQL injection via framework misuse

An application's blind trust in frameworks may result in queries that are still vulnerable. For example, Hibernate Query Language (HQL): ``` Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" + request.getParameter("id") + "'"); ``` An attacker supplies: `' OR custID IS NOT NULL OR custID='`. This bypasses the filter and returns all accounts. While HQL has fewer dangerous functions than raw SQL, it still allows unauthorized data access when user input is concatenated into queries.

#3OS command injection via user input

An application passes user input directly to an OS command: ``` String cmd = "nslookup " + request.getParameter("domain"); Runtime.getRuntime().exec(cmd); ``` An attacker supplies `example.com; cat /etc/passwd` to execute arbitrary commands on the server.

>Related CWEs

CWE-500
CWE-113
CWE-95
CWE-78
CWE-89
CWE-77
CWE-99
CWE-74
CWE-80
CWE-564
CWE-83
CWE-94
CWE-97
CWE-79
CWE-116
CWE-98
CWE-112
CWE-159
CWE-493
CWE-20
CWE-610
CWE-93
CWE-644
CWE-917
CWE-86
CWE-115
CWE-643
CWE-114
CWE-90
CWE-88
CWE-104
CWE-129
CWE-96
CWE-470
CWE-76
CWE-103
CWE-91

>References

Ask AI

Configure your API key to use AI features.