OWASP TOP 10 / A03:2021

Injection

Untrusted input is interpreted as a command or query — SQL, OS command, LDAP injection, and cross-site scripting (XSS).

Injection happens whenever user-controlled data is sent to an interpreter without proper separation of code and data. SQL injection, command injection, and XSS are the classic examples.

It remains one of the most damaging risks because a single flaw can expose an entire database or execute code.

How to prevent it

Use parameterized queries / prepared statements, context-aware output encoding, allowlist input validation, and safe APIs.

Mapped weaknesses (CWE)

CWE-79 Cross-site Scripting (XSS) CWE-89 SQL Injection CWE-78 OS Command Injection CWE-94 Code Injection CWE-77 Command Injection CWE-90 LDAP Injection CWE-116 Improper Encoding or Escaping of Output

Free tools to test for it

Encoder / Decoder → HTTP Headers →

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.

Injection

Mapped weaknesses (CWE)

Free tools to test for it

Related terms