Injection Flaws
Injection vulnerabilities let visitor-provided input, such as text in a search or contact form, interact with important website files or databases. Injection flaws affect multiple languages or protocols, such as LDAP, SQL, and XML.
Malicious users can exploit injection flaws if a site isn't configured to validate input. Attackers might attempt to trick websites into providing unauthorized data, prevent specific site functions, or locate other vulnerabilities to exploit. SQL injection attacks are the most common, which execute SQL queries entered in a text form.
For example: Ann has a blog site, and she posts with the user name AnnSmith.
A malicious user enters Ann's user name and SQL commands in the account log-in fields to access Ann's account.
If the website doesn't recognize the input as invalid, the database might execute the command and return unauthorized results. In this case, the unauthorized result is access to Ann's account.
You can prevent injection flaws by keeping visitor-provided information separate from the rest of your website. A "whitelist" can help validate acceptable input, but it might not be effective if your forms allow special characters.
You can check your website for injection flaws and other common vulnerabilities with a daily vulnerability scanner, such as Website Protection Site Scanner.
To learn more about other common vulnerabilities, see the Open Web Application Security Project's Top 10 Most Critical Web Application Security Risks.
