10/1/2025 • 3 min read

Injection Attacks: OWASP Top 10 Explained

Estimated reading time: ~10 minutes

The Problem

The first major SQL injection attack was documented in 1998. Nearly 30 years later, it's still on the OWASP Top 10.

Why? Because injection attacks remain one of the most effective ways to compromise applications, even in 2025.

What It Is

Injection happens when untrusted input is executed as code or a query.

The attacker sends malicious data that gets interpreted as commands by the application.

How Injection Works

Input Validation Failure: App doesn't properly validate user input
Dynamic Query Construction: App builds queries by concatenating strings
Code Execution: Malicious input gets executed as part of the query/code
Data Exposure: Attacker gains unauthorized access to data or system

Types of Injection

1. SQL Injection (SQLi)

Most common type, affecting databases.

Example:


-- Vulnerable code
SELECT * FROM users WHERE id = '1 OR 1=1';
-- Returns every user in the database

2. NoSQL Injection

Affects NoSQL databases like MongoDB, CouchDB.

Example:


// Vulnerable MongoDB query
db.users.find({username: {"$ne": null}, password: {"$ne": null}})
// Bypasses authentication

3. OS Command Injection

Executes system commands on the server.

Example:


# Vulnerable code
system("ping " + user_input);
# Attacker inputs: "google.com; rm -rf /"

4. LDAP Injection

Affects LDAP directory services.

Example:


# Vulnerable LDAP query
(&(objectClass=user)(uid=*)(|(objectClass=*)))
# Returns all objects

5. XPath Injection

Affects XML-based applications.

Example:


//user[username='admin' or '1'='1' and password='anything']
# Bypasses authentication

Real-World Example

Sony Pictures (2011): Attackers exploited SQL injection to exfiltrate millions of records, including employee data, emails, and unreleased movies.

Target (2013): SQL injection in a third-party vendor's system led to the compromise of 40 million credit card numbers.

Why It Matters

Still Common: Despite being known for decades, injection remains prevalent
High Impact: Can lead to complete database compromise
Easy to Exploit: Many automated tools make injection attacks trivial
Compliance Issues: Violates PCI DSS, GDPR, and other regulations

How to Prevent It

1. Use Parameterized Queries / Prepared Statements


// Good: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

// Bad: String concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.query(query);

2. Avoid String Concatenation

Never build queries by concatenating strings with user input.

3. Apply Strong Input Validation


// Validate input format and length
if (!/^[a-zA-Z0-9]+$/.test(username) || username.length > 50) {
  throw new Error('Invalid username');
}

Related: Input validation is also essential for preventing Security Misconfiguration vulnerabilities, which can expose your application to a wide range of attacks.

4. Employ ORMs Safely


// Good: Using ORM with parameterized queries
const user = await User.findOne({ where: { id: userId } });

// Bad: Raw queries without proper escaping
const user = await sequelize.query(`SELECT * FROM users WHERE id = ${userId}`);

5. Use Least Privilege Database Accounts

Don't use admin accounts for application queries
Limit database permissions to only what's needed
Use read-only accounts where possible

Related: This connects to Broken Access Control principles — users should only have the minimum permissions needed.

6. Implement Web Application Firewalls (WAF)

Deploy WAF to detect and block injection attempts
Configure rules specifically for your application

Tools

SQLMap: Automated SQL injection testing tool
Rafter: Scans for unsafe patterns and injection vulnerabilities
OWASP ZAP: Free security testing tool with injection detection
Burp Suite: Professional web application security testing

Conclusion

Injection remains common but entirely preventable. Use modern frameworks, parameterized queries, and proper input validation.

Next Steps:

Audit your current input validation and query construction
Replace string concatenation with parameterized queries
Implement proper input validation frameworks
Run a Rafter scan to check your application for injection vulnerabilities before attackers do

10/1/2025 • 3 min read

Injection Attacks: OWASP Top 10 Explained

Estimated reading time: ~10 minutes

The Problem

The first major SQL injection attack was documented in 1998. Nearly 30 years later, it's still on the OWASP Top 10.

Why? Because injection attacks remain one of the most effective ways to compromise applications, even in 2025.

What It Is

Injection happens when untrusted input is executed as code or a query.

The attacker sends malicious data that gets interpreted as commands by the application.

How Injection Works

Input Validation Failure: App doesn't properly validate user input
Dynamic Query Construction: App builds queries by concatenating strings
Code Execution: Malicious input gets executed as part of the query/code
Data Exposure: Attacker gains unauthorized access to data or system

Types of Injection

1. SQL Injection (SQLi)

Most common type, affecting databases.

Example:


-- Vulnerable code
SELECT * FROM users WHERE id = '1 OR 1=1';
-- Returns every user in the database

2. NoSQL Injection

Affects NoSQL databases like MongoDB, CouchDB.

Example:


// Vulnerable MongoDB query
db.users.find({username: {"$ne": null}, password: {"$ne": null}})
// Bypasses authentication

3. OS Command Injection

Executes system commands on the server.

Example:


# Vulnerable code
system("ping " + user_input);
# Attacker inputs: "google.com; rm -rf /"

4. LDAP Injection

Affects LDAP directory services.

Example:


# Vulnerable LDAP query
(&(objectClass=user)(uid=*)(|(objectClass=*)))
# Returns all objects

5. XPath Injection

Affects XML-based applications.

Example:


//user[username='admin' or '1'='1' and password='anything']
# Bypasses authentication

Real-World Example

Sony Pictures (2011): Attackers exploited SQL injection to exfiltrate millions of records, including employee data, emails, and unreleased movies.

Target (2013): SQL injection in a third-party vendor's system led to the compromise of 40 million credit card numbers.

Why It Matters

Still Common: Despite being known for decades, injection remains prevalent
High Impact: Can lead to complete database compromise
Easy to Exploit: Many automated tools make injection attacks trivial
Compliance Issues: Violates PCI DSS, GDPR, and other regulations

How to Prevent It

1. Use Parameterized Queries / Prepared Statements


// Good: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

// Bad: String concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.query(query);

2. Avoid String Concatenation

Never build queries by concatenating strings with user input.

3. Apply Strong Input Validation


// Validate input format and length
if (!/^[a-zA-Z0-9]+$/.test(username) || username.length > 50) {
  throw new Error('Invalid username');
}

Related: Input validation is also essential for preventing Security Misconfiguration vulnerabilities, which can expose your application to a wide range of attacks.

4. Employ ORMs Safely


// Good: Using ORM with parameterized queries
const user = await User.findOne({ where: { id: userId } });

// Bad: Raw queries without proper escaping
const user = await sequelize.query(`SELECT * FROM users WHERE id = ${userId}`);

5. Use Least Privilege Database Accounts

Don't use admin accounts for application queries
Limit database permissions to only what's needed
Use read-only accounts where possible

Related: This connects to Broken Access Control principles — users should only have the minimum permissions needed.

6. Implement Web Application Firewalls (WAF)

Deploy WAF to detect and block injection attempts
Configure rules specifically for your application

Tools

SQLMap: Automated SQL injection testing tool
Rafter: Scans for unsafe patterns and injection vulnerabilities
OWASP ZAP: Free security testing tool with injection detection
Burp Suite: Professional web application security testing

Conclusion

Injection remains common but entirely preventable. Use modern frameworks, parameterized queries, and proper input validation.

Next Steps:

Audit your current input validation and query construction
Replace string concatenation with parameterized queries
Implement proper input validation frameworks
Run a Rafter scan to check your application for injection vulnerabilities before attackers do