Injection flaws means that when application sends untrusted data to break out the context of target web application as a part of query. Injection flaws are very common in the developer code. It mainly founds in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. It can see/check when reviewing the code but very hard to discover via testing.
The result of injection flaws can be data loss, data corruption, data stolen, data modified, or data deleted.
To check if your application are vulnerable to injection is to verify that all use of interpreters clearly separates untrusted data from the command or query. In SQL calls, it means that creating variables in all prepared statements and stored procedures, and avoiding dynamic queries.
When application contains following SQL vulnerable call:
String strQuery = "SELECT * FROM users WHERE userName='" + Request.QueryString["uname"] + "'";
In above case, the attacker may modify the ‘uname’ parameter value in browser to send: ' or '1'='1. For example:
http://securityvlunerale.com/application/userView?uname=' or '1'='1
The means of query has been changed, it starts to return all the records from the "users" table. More dangerous attacks could modify data or even invoke stored procedures.
To avoid the use of dynamic query.
The use of a parameterize interface.
To avoid accessing external interpreters wherever possible.
To validate the data provided to ensure that it does not contain any malicious content.
The use of stored procedures or prepared statements.
Use of Positive or “White List” input validation is also recommended instead of "Black List".