Overview of Injection Risks

• Injection has dropped to the third position in the OWASP Top 10 list for 2021.
• Historically, injection has been the number one risk since 2003.
• Other risks have been deemed more serious, leading to this change.

Types of Injection Attacks

• Commonly associated with SQL injection but includes other types such as:
  • LDAP (Lightweight Directory Access Protocol) injection
  • OGNL (Object-Graph Navigation Language) injection
• Cross-site scripting (XSS) is now categorized under injection risks.

Vulnerability Factors

• Applications are vulnerable when user-supplied data is not validated, filtered, or sanitized.
• Dynamic queries and non-parameterized calls increase susceptibility to injection attacks.

Understanding Injection Attacks

• An example of SQL injection illustrates how attackers can manipulate user input to execute unauthorized commands.
• The nature of injection attacks involves injecting malicious data into user input fields that the application processes without proper validation.

Prevention Strategies

• Data SeparationKeep data separate from commands and queries.
• Use of Safe APIsImplement APIs that avoid using interpreters directly or provide parameterized interfaces.
• Input ValidationEmploy positive server-side input validation to ensure only valid data is processed.
• Parameterized QueriesAlways use parameterized queries to prevent direct manipulation of SQL commands.
• Escape Special CharactersUse specific escape syntax for special characters to mitigate risks.
• Limit ExposureUse SQL controls like LIMIT to restrict the amount of data returned in case of an attack.