Back to course

OWASP Top 10 Explained (Injection Flaws)

Cyber Security Mastery: From Zero to Hero

The OWASP Top 10

The OWASP (Open Web Application Security Project) Top 10 is a standard awareness document for developers and security professionals, representing the most critical security risks to web applications.

A03:2021 - Injection

Injection flaws (SQL, NoSQL, OS Command, LDAP) occur when unvalidated user-supplied data is sent to an interpreter as part of a command or query.

SQL Injection (SQLi)

  • Vulnerability: An attacker injects malicious SQL syntax into an input field (e.g., a login box) that is executed by the backend database.
  • Impact: Full database theft, unauthorized modification, or bypassing authentication.

Example SQLi Payload:

sql ' OR 1=1 --

If this payload is used in a login field, the database query becomes:

sql SELECT * FROM users WHERE username='' OR 1=1 --' AND password='...'

Since 1=1 is always true, the authentication check is bypassed, allowing the attacker to log in as the first user (often the admin).