94% of applications are affected by some form of injection and the 33 mapped CWEs. This includes Cross-site Scripting (XSS).
Injections occur when user input is sent to an interpreter using insecure APIs or without validation, sanitization, or neutralization.
If the input can change the semantics of the request, then an injection occurs. The type of injection varies according to the interpreter:
- Database: SQL Injection.
- Command line: Command Injection.
- ORM Objects: ORM Injection.
- Browser: Cross-Site Scripting (XSS).
| OWASP Top 10 Application Security Risks - 2021 | Reference |
|---|---|
| A03:2021 – Injection | OWASP |
Injection issues occur due to the incorrect separation between control flow and data flow.Francesco Ongaro
