# Injection (A05:2025) Injection flaws occur when an application sends hostile data to an interpreter. This includes SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection. ## Overview Falls from #3 to #5 in 2025. Injection remains one of the most tested categories, covering issues from Cross-site Scripting (high frequency/low impact) to SQL Injection (low frequency/high impact). ## How Attackers Exploit This ### SQL query manipulation User input is incorporated into database queries without proper sanitization, allowing attackers to modify query logic or extract unauthorized data. **Detection signal:** Database errors in responses, unusual query patterns in logs, timing anomalies ### Command execution User input flows into system commands, allowing attackers to execute arbitrary commands on the server. **Detection signal:** Unexpected process spawns, unusual system calls in audit logs ### Cross-site scripting (XSS) User content is reflected or stored in web pages without encoding, allowing script execution in other users' browsers. **Detection signal:** Script tags or event handlers appearing in user-generated content ## How to Prevent - Use a safe API which avoids using the interpreter entirely - Use parameterized queries or prepared statements - Use positive server-side input validation - Escape special characters for any residual dynamic queries - Use LIMIT and other SQL controls to prevent mass disclosure - Use Content Security Policy to mitigate XSS impact ## CWEs with Detection Rules (9) - **CWE-20**: Improper Input Validation (13 rules) [python, go, javascript, typescript] - **CWE-94**: Improper Control of Generation of Code ('Code Injection') (10 rules) [go, javascript, typescript, python] - **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (7 rules) [go, javascript, typescript, python] - **CWE-79**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4 rules) [javascript, typescript, python] - **CWE-74**: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (3 rules) [go, javascript, typescript, python] - **CWE-78**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (3 rules) [go, javascript, typescript, python] - **CWE-90**: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (3 rules) [go, javascript, typescript, python] - **CWE-93**: Improper Neutralization of CRLF Sequences ('CRLF Injection') (3 rules) [go, javascript, typescript, python] - **CWE-113**: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (3 rules) [go, javascript, typescript, python] ## Other Mapped CWEs (24) - CWE-75: CWE-75 - CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CWE-80: CWE-80 - CWE-83: CWE-83 - CWE-87: CWE-87 - CWE-88: CWE-88 - CWE-91: CWE-91 - CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') - CWE-96: CWE-96 - CWE-97: CWE-97 - CWE-98: CWE-98 - CWE-99: CWE-99 - CWE-100: CWE-100 - CWE-116: CWE-116 - CWE-138: CWE-138 - CWE-184: CWE-184 - CWE-470: CWE-470 - CWE-471: CWE-471 - CWE-564: CWE-564 - CWE-610: CWE-610 - CWE-643: CWE-643 - CWE-644: CWE-644 - CWE-652: CWE-652 - CWE-917: CWE-917 ## Quick Reference - Total CWEs: 33 - With Shoulder rules: 9 - Detection rules: 49 - Critical rules: 16