In the latest video of our Security Culture series we give a 2 minute overview of Injection, which is a serious class of vulnerability that can happen in any language.

Injection happens when user inputted data is treated as part of an OS command or part of a query - usually through string concatenation.

As developers, we need to apply appropriate controls. Strict input validation is always recommended but in addition we need to do one or more of the following to prevent injection in various parts of our apps:

  • Parameterize queries
  • Decouple user input from real file system paths
  • use shell encoding

Injection Resources

Injection resources include:

  1. The OWASP Top 10 (#1 is Injection)
  2. Sqlmap
  3. Metasploit
  4. Query Parameterization Cheat Sheet
  5. Testing for Command Injection
Matt Konda

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.

Want to stay up to date with the lastest from Jemurai?

Sign up for our monthly newsletter!