A03 Injection - OWASP Top 10:2021
Injection vulnerabilities arise when user data is not properly validated or sanitized. Learn prevention methods and secure development practices against SQL, NoSQL, and OS command injection.
Overview
Injection is a vulnerability that has ranked third in the OWASP Top 10:2021 list. It affects 94% of tested applications, with a maximum incidence rate of 19% and an average incidence rate of 3%. This vulnerability can lead to various forms of injection attacks, including SQL injection, NoSQL injection, OS command injection, and more. It is essential to prevent injection by keeping data separate from commands and queries.
Description
Injection vulnerabilities occur when user-supplied data is not properly validated or sanitized by the application. It can also happen when dynamic queries or non-parameterized calls without context-aware escaping are used, or when hostile data is used within object-relational mapping search parameters. The use of unsafe APIs, lack of input validation, and failure to escape special characters are common causes of injection vulnerabilities. Injection flaws can be detected through source code review and comprehensive testing of all input parameters. It is highly recommended to incorporate static, dynamic, and interactive application security testing tools in the development pipeline.
How to Prevent ?
To prevent injection vulnerabilities, it is recommended to use a safe API that avoids the interpreter entirely or provides a parameterized interface. Positive server-side input validation can also be used, but it may not be a complete defense. For dynamic queries, special characters should be escaped using the specific escape syntax of the interpreter. The use of LIMIT and other SQL controls within queries can help prevent mass disclosure of records in the case of SQL injection. Proper security measures should be implemented in the development process, including source code review, input validation, and the utilization of testing tools.
Example Attack Scenarios:
Scenario #1: SQL Injection: An application uses untrusted data in the construction of a vulnerable SQL call. By modifying the 'id' parameter value, an attacker can manipulate the query to return all records from the accounts table or perform other malicious actions.
Scenario #2: Hibernate Query Language (HQL) Injection: An application blindly trusts frameworks and constructs queries vulnerable to injection attacks. By manipulating the 'id' parameter value, an attacker can execute arbitrary queries or modify data stored in the database.