search

3. Injection

hashtag
What is Injection?

An application is vulnerable to attack when:

  • User-supplied data is not validated, filtered, or sanitized by the application.

  • Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.

  • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.

  • Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.

circle-info

Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection.

hashtag
Scenario 1

An application uses untrusted data in the construction of the following vulnerable SQL call:

String query = "SELECT \* FROM accounts WHERE custID='" + request.getParameter("id") + "'";

hashtag
Scenario 2

Similarly, an application’s blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)):

 Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" + request.getParameter("id") + "'");

In both cases, the attacker modifies the ‘id’ parameter value in their browser to send: ‘ or ‘1’=’1. For example:

 http://example.com/app/accountView?id=' or '1'='1

This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify or delete data or even invoke stored procedures.

hashtag
Reference

LogoA03 Injection - OWASP Top 10:2021owasp.orgchevron-right
A03 Injection - OWASP
Previous2. Cryptographic FailuresNext4. Insecure Design

Last updated