Injection vulnerabilities have been a security risk for decades – and they’re still a major issue today, appearing in the number three slot on the OWASP Top 10. Let’s take a closer look at what they are.

–

01 – What is injection?

Injection occurs when an application improperly processes untrusted data, allowing attackers to modify queries, execute commands, or manipulate system behaviour.

At its core, injection vulnerabilities stem from a failure to separate data from commands. If an application blindly processes user input as executable code, it becomes vulnerable to a range of attacks, including:

• SQL Injection (SQLi) – Attackers inject SQL commands to steal, alter, or delete data from databases.
• XML Injection (XXE) – Attackers manipulate XML input to access sensitive data, execute remote requests, or perform denial–of–service (DoS) attacks.
• Command injection – Arbitrary shell commands are executed on the server, potentially compromising entire systems.
• LDAP injection – Attackers manipulate LDAP queries to unauthorised access to directory services.
• NoSQL injection – NoSQL databases (e.g. MongoDB) are exploited by injecting malicious JSON or query parameters.

–

02 – How is it exploited?

Some basic examples:

• An attacker could use SQLi to exploit a database simply by manipulating a query. Something as simple as – SELECT * FROM users WHERE id=‘123’ OR ‘1’=‘1’ – can trick the system into returning all records.
• A user session could be compromised by using an XSS attack to inject JavaScript into a webpage, stealing session cookies or executing commands on behalf of a user.
• A command injection flaw could allow an attacker to append arbitrary commands to system calls, potentially granting them full control over a server.

These sound simple, but they’re immensely powerful – back in 2017 attackers exploited an Apache Struts vulnerability to inject commands that led to the theft of 143 million records.

–

03 – How do you prevent injection?

The best defence, as it usually is, would be a Secure by Design approach – ensuring things like the below list are embedded from the start.

• Use parameterised queries and prepared statements – Always separate user input from database queries.
• Implement input validation and sanitisation – Reject invalid inputs (always server–side) and encode output to prevent script execution.
• Adopt secure authentication and authorisation – Apply the Principle of Least Privilege (PoLP) and prevent unauthorised access to sensitive data.
• Use Web Application Firewalls (WAFs) and Runtime Protection (RASP) – These can filter out malicious requests before they reach your application.
• Secure comms channels – Always enforce TLS 1.2/1.3 and implement HTTP Strict Transport Security (HSTS).
• Automate security testing – Regularly scan for vulnerabilities using SAST, DAST, and IAST tools, and conduct pen tests to identify weaknesses.

–

Injection attacks are not just a coding oversight, they’re an open door for attackers. The good news? These vulnerabilities can be eliminated with secure coding, robust validation, and proactive monitoring.