Listed as #3 on the OWASP Top 10 list, injection occurs when an attacker sends malicious data to an app to make it do something it’s not supposed to do.
Injection occurs whenever an application creates a command or code that gets run somewhere else. The two most common types of injection are cross-site scripting (XSS) and SQL injection. Cross-site scripting occurs when an attacker injects malicious executable scripts into a web page. An SQL injection occurs when an attacker injects malicious SQL statements that get executed in a database.
Injection was previously listed as #1 on the OWASP Top 10 list for the most common vulnerabilities in web applications, but it moved to third in 2021.
In this video, Jonathan Knudsen, head of global research at the Cybersecurity Research Center, demonstrates how an attacker can compromise a web application using SQL injection and XSS. Viewers also learn what security activities can help mitigate these types of attacks.