Understanding OWASP Top 10: A3 Injection Attacks Explained
Breaking Down OWASP Top 10 - A3: A Guide to Injection Attacks
Where Can We Find It?
Injection vulnerabilities occur when an attacker injects malicious input into an application, tricking it into executing unintended commands. You can find injection issues in:
Web Applications (Login forms, search bars, comment sections)
APIs (Query parameters, headers, JSON inputs)
Databases (SQL queries in backend code)
Command-line interfaces (CLI) (Unsafe execution of user input)
How It Works?
When an application does not properly validate or sanitize user input, attackers can inject malicious commands that get executed by the system.
💀 Example: SQL Injection (SQLi)
A website login form asks for a username and password.
A normal user enters:
Username: admin Password: 1234An attacker enters:
Username: admin' -- Password: anythingThe query becomes:
SELECT * FROM users WHERE username = 'admin' --' AND password = 'anything'--is a SQL comment, so the password check is ignored, and the attacker logs in as admin!
Common Types of Injection Attacks
1️⃣ SQL Injection (SQLi)
Injecting SQL queries to read, modify, or delete data.
Example: Retrieving all user details:
' OR 1=1 --Fix: Use prepared statements (parameterized queries).
2️⃣ Command Injection
Injecting system commands via user input fields.
Example: A vulnerable server-side script:
os.system("ping " + user_input)If the user enters
; rm -rf /, the server deletes all files!Fix: Use whitelisting & avoid direct command execution.
3️⃣ Cross-Site Scripting (XSS)
Injecting JavaScript into a webpage to steal cookies or perform actions on behalf of users.
Example: A comment box where an attacker posts:
<script>alert('Hacked!');</script>Any user visiting that page will see an alert or worse, have their session hijacked.
Fix: Encode user input & use Content Security Policy (CSP).
4️⃣ LDAP Injection
Injecting malicious input into LDAP queries to bypass authentication.
Example:
* ) ( | (password=* )Allows an attacker to bypass authentication in an LDAP-based system.
Fix: Use parameterized LDAP queries.
5️⃣ NoSQL Injection
Injecting malicious input into NoSQL databases like MongoDB.
Example:
{"username": {"$ne": null}, "password": {"$ne": null}}This bypasses authentication and logs in without credentials.
Fix: Use input validation & query sanitization.
How to Mitigate Injection Attacks?
✅ 1. Use Parameterized Queries (Prepared Statements)
Prevent SQLi by binding user inputs instead of directly inserting them into queries.
Example (Python & MySQL):
cursor.execute("SELECT * FROM users WHERE username = %s", (user_input,))
✅ 2. Validate & Sanitize User Input
Allow only expected characters (e.g., restrict email fields to
a-z, 0-9, @, .).Remove special characters that could be dangerous.
✅ 3. Escape User Input Properly
Use HTML encoding to prevent XSS.
Example: Convert
<script>into<script>.
✅ 4. Implement Web Application Firewall (WAF)
- A WAF can detect & block injection attempts automatically.
✅ 5. Use Content Security Policy (CSP) for XSS Protection
- Restrict the execution of JavaScript from unauthorized sources.
✅ 6. Least Privilege Principle for Database Access
Don’t use root/admin accounts for database connections.
Use separate read-only accounts where possible.
Real-World Case Study: Sony PlayStation SQL Injection (2011)
What Happened?
Hackers exploited an SQL Injection vulnerability in Sony's PlayStation Network (PSN).
They gained access to 77 million user records, including usernames, passwords, and credit card details.
The attack cost Sony over $170 million in damages & forced them to shut down PSN for 23 days!
How They Fixed It?
✅ Moved to prepared statements for database queries.
✅ Enforced stronger input validation.
✅ Implemented intrusion detection systems (IDS) to monitor suspicious activity.
Lesson: Never trust user input! Sanitize, escape, and validate all inputs to prevent injection attacks. 🚀