Table of Contents
  • Home
  • /
  • Blog
  • /
  • Injection – The #3 Web Application Security Risk
January 29, 2024

Injection – The #3 Web Application Security Risk


Injection attacks have long been one of the most dangerous application security risks facing developers. Despite better frameworks and increasing awareness, injection remains the number three web application security risk in OWASPs latest Top 10 report. This post examines why injection risks continue to plague applications and how positive input validation can mitigate over 90% of injection attacks.

Injection attacks allow attackers to insert malicious code or commands into an application to alter, delete, or expose sensitive data. These risks are not new In fact, 20 of the 33 Common Weakness Enumerations (CWEs) in the Injection category have ID numbers under 100, indicating they were identified early in the CWE projects history starting in 2006.

The first documented SQL injection vulnerability emerged over 20 years ago. Since then, OWASP has associated 33 CWEs and over 32,000 Common Vulnerabilities and Exposures (CVEs) with the Injection category. Though injection attacks have gradually declined thanks to better awareness and frameworks, the average exploitability remains high at 7.3 out of 10.

CWEs Mapped33
Max Incidence Rate19.09%
Avg Incidence Rate3.37%
Avg Weighted Exploit7.25
Avg Weighted Impact7.15
Max Coverage94.04%
Avg Coverage47.90%
Total Occurrences274,228
Total CVEs32,078

A03:2021 – Injection

Common Injection Attack Vectors

Two well-known CWEs help illustrate why injection continues to threaten applications:

CWE-20 (Improper Input Validation): Never trust any external input, whether its form fields, search bars, metadata or anything else. All external inputs must be validated against an allow list of expected, structured data. For example, validate credit card numbers against known formats, email addresses against address structures, etc. Input lengths should also match expected ranges. Validating associations (like postal codes to cities/countries) adds another layer of protection.

CWE-89 (SQL Injection): By inserting unexpected SQL code via input fields, attackers can modify, delete, or access private data. A single quote, closing parenthesis, or other carefully crafted input can allow them to take over SQL statements.

How to Mitigate Injection Attacks?

The good news is OWASP states properly implemented input validation can eliminate over 90% of injection attacks. Heres what proper implementation entails:

  • Validate all input against a defined schema for data types, formats, lengths, relationships, etc.

  • Use allow lists over deny lists where possible.

  • Employ strong data typing everywhere.

  • Follow OWASP SQL Injection Prevention Cheat Sheet guidelines.

  • Use frameworks and APIs with built-in protections against common attacks.

The rise of modern frameworks has helped curb some injection attacks, but vulnerabilities remain abundant without comprehensive input validation policies. By ensuring all external inputs align to structured allow lists and strong data types, developers can make exploitation far more difficult. Eliminating injections foothold delivers immense security and compliance benefits for minimal effort.

Call to Action

Evaluate your input validation policies against the OWASP Application Security Verification Standard (ASVS) requirements. Implement missing protections with a focus on allow listing, strong typing, and securing associations. Pilot changes with high-risk inputs first, then expand coverage. Drastically reducing your injection surface is one of the most effective application security improvements available today.

We hope this post helped in learning about OWASP Top #3 application security risk Injection. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website,, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.  

Rajeshwari KA

Rajeshwari KA is a Software Architect who has worked on full-stack development, Software Design, and Architecture for small and large-scale mission-critical applications in her 18 + years of experience.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription