Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Manipulate SQL queries to bypass authentication or extract data
Examples: ' OR '1'='1, UNION SELECT
Exploit NoSQL databases like MongoDB with operator injection
Examples: {"$ne": ""}, {"$gt": ""}
Execute arbitrary OS commands on the host system
Examples: ; ls -la, | cat /etc/passwd
Manipulate LDAP queries in directory services
Examples: *)(uid=*))(|(uid=*
Manipulate XPath queries in XML documents
Examples: ' or '1'='1
Inject into server-side template engines
Examples: {{7*7}}, ${7*7}
Built by an OWASP Member • Part of the OWASP Web Security Lab Series