# Injection (A03:2021)

Injection flaws occur when an application sends hostile data to an interpreter. This includes SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection.

## Overview

Injection slides down to #3. 94% of applications were tested for some form of injection. The 33 CWEs mapped into this category have the second most occurrences in applications.

## How Attackers Exploit This

### SQL query manipulation

User input is incorporated into database queries without proper sanitization, allowing attackers to modify query logic or extract unauthorized data.

**Detection signal:** Database errors in responses, unusual query patterns in logs, timing anomalies

### Command execution

User input flows into system commands, allowing attackers to execute arbitrary commands on the server.

**Detection signal:** Unexpected process spawns, unusual system calls in audit logs

### Script injection in pages

User content is reflected in web pages without encoding, allowing script execution in other users' browsers.

**Detection signal:** Script tags or event handlers appearing in user-generated content

## How to Prevent

- Use a safe API which avoids using the interpreter entirely
- Use parameterized queries or prepared statements
- Use positive server-side input validation
- Escape special characters for any residual dynamic queries
- Use LIMIT and other SQL controls to prevent mass disclosure

## CWEs with Detection Rules (9)

- **CWE-20**: Improper Input Validation (13 rules) [python, go, javascript, typescript]
- **CWE-94**: Improper Control of Generation of Code ('Code Injection') (10 rules) [go, javascript, typescript, python]
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (7 rules) [go, javascript, typescript, python]
- **CWE-79**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4 rules) [javascript, typescript, python]
- **CWE-74**: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (3 rules) [go, javascript, typescript, python]
- **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (3 rules) [go, javascript, typescript, python]
- **CWE-90**: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (3 rules) [go, javascript, typescript, python]
- **CWE-93**: Improper Neutralization of CRLF Sequences ('CRLF Injection') (3 rules) [go, javascript, typescript, python]
- **CWE-113**: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (3 rules) [go, javascript, typescript, python]

## Other Mapped CWEs (24)

- CWE-75: CWE-75
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-80: CWE-80
- CWE-83: CWE-83
- CWE-87: CWE-87
- CWE-88: CWE-88
- CWE-91: CWE-91
- CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- CWE-96: CWE-96
- CWE-97: CWE-97
- CWE-98: CWE-98
- CWE-99: CWE-99
- CWE-100: CWE-100
- CWE-116: CWE-116
- CWE-138: CWE-138
- CWE-184: CWE-184
- CWE-470: CWE-470
- CWE-471: CWE-471
- CWE-564: CWE-564
- CWE-610: CWE-610
- CWE-643: CWE-643
- CWE-644: CWE-644
- CWE-652: CWE-652
- CWE-917: CWE-917

## Quick Reference

- Total CWEs: 33
- With Shoulder rules: 9
- Detection rules: 49
- Critical rules: 16