Hello Everyone,
I hope you are doing well. Today in this article, We will review one of OWASP vulnerabilities, A03:2021 Injection, and its remedy and best code practice to enhance the security of web applications.
Explanation
Injection attacks, including SQL Injection (SQLi), Cross-Site Scripting (XSS), and Command Injection, occur when untrusted data is sent to an interpreter as part of a command or query. This allows attackers to execute unintended commands, manipulate databases, or compromise system security. Injection vulnerabilities have remained a critical security issue for web applications and APIs due to improper input validation and unescaped user input.
1. SQL Injection (SQLi)
Vulnerable Code
string query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";
SqlCommand command = new SqlCommand(query, connection);
SqlDataReader reader = command.ExecuteReader();
How it can be exploited: If a user inputs the username as admin'--, the SQL query would become:
SELECT * FROM users WHERE username = 'admin'--' AND password = ''
The -- comment syntax causes the password check part to be ignored, allowing unauthorized access.
Secure Code
string query = "SELECT * FROM users WHERE username = @username AND password = @password";
SqlCommand command = new SqlCommand(query, connection);
command.Parameters.AddWithValue("@username", username);
command.Parameters.AddWithValue("@password", password);
SqlDataReader reader = command.ExecuteReader();
2. Cross-Site Scripting (XSS)
Vulnerable Code
<!-- Vulnerable Code -->
<div><%= Request.QueryString["search"] %></div>
How it can be exploited
-
The <%= %> syntax in ASP.NET Web Forms directly outputs user input without encoding.
-
If an attacker sends the following malicious URL:
-
http://example.com/search.aspx?search=<script>alert('XSS Attack!');</script>
The server response will be:
<div><script>alert('XSS Attack!');</script></div>
This executes the JavaScript alert in the victim's browser.
-
Secure Version (Fixed with Server.HtmlEncode)
<!-- SAFE: XSS Protected -->
<div><%= Server.HtmlEncode(Request.QueryString["search"]) %></div>
Fix. Server.HtmlEncode() converts special characters (like < and >) into their encoded equivalents (<, >), preventing script execution.
Server.HtmlEncode(Request.QueryString["search"]) ensures that any HTML/JavaScript in user input is displayed as plain text, not executed.
3. Command Injection
using System;
using System.Diagnostics;
class Program
{
static void Main()
{
Console.Write("Enter a file name to list: ");
string userInput = Console.ReadLine();
// VULNERABLE: Allows command injection
Process.Start("cmd.exe", "/C dir " + userInput);
}
}
How it can be exploited?
If an attacker enters:
test.txt & del C:\Windows\System32\important.dll
It executes both commands, deleting critical system files.
Secure Code (Fix Using ProcessStartInfo)
Use ProcessStartInfo with sanitized input to prevent command injection.
using System;
using System.Diagnostics;
class Program
{
static void Main()
{
Console.Write("Enter a file name to list: ");
string userInput = Console.ReadLine();
// Secure: Use ProcessStartInfo with argument sanitization
ProcessStartInfo psi = new ProcessStartInfo
{
FileName = "cmd.exe",
Arguments = "/C dir " + QuoteArgument(userInput),
RedirectStandardOutput = true,
UseShellExecute = false,
CreateNoWindow = true
};
Process process = new Process { StartInfo = psi };
process.Start();
Console.WriteLine(process.StandardOutput.ReadToEnd());
}
// Function to safely quote arguments to prevent injection
static string QuoteArgument(string arg)
{
return "\"" + arg.Replace("\"", "\"\"") + "\"";
}
}
- Prevents command chaining (&, |, ;, etc.)
- Encapsulates input safely using double quotes
- Disables shell execution (UseShellExecute = false)
Additional Information to Prevent Web Application XSS
1. Use AntiXSS Library (Microsoft.Web.Helpers)
Instead of using HttpUtility.HtmlEncode() uses Microsoft's AntiXSS library, which provides stronger encoding.
Why? The Encoder.HtmlEncode() from the AntiXSS library is more secure as it applies stricter encoding rules.
2. Validate User Input (Allow Only Expected Formats)
Restrict input fields to allow only specific characters using Regular Expressions (Regex).
Why? This ensures attackers cannot inject scripts or special characters.
3. Enable HTTP Content Security Policy (CSP)
Use CSP headers to prevent the execution of inline scripts.
Why? This prevents malicious scripts from executing, even if they are injected.
4. Use HttpOnly and Secure Flags for Cookies
Make session cookies HttpOnly to prevent JavaScript access and Secure to enforce HTTPS.
Why? This prevents session hijacking via XSS.
5. Use Anti-Forgery Tokens (for Forms)
Prevent XSS along with CSRF (Cross-Site Request Forgery) using anti-forgery tokens in ASP.NET.
Why? This ensures the request originates from the intended user.
6. Use a Web Application Firewall (WAF)
Deploy a Web Application Firewall (WAF) to monitor and block XSS attempts.
Some popular WAF solutions
- AWS WAF
- Cloudflare WAF
- Microsoft Azure WAF
Why? These provide an additional layer of defense against XSS.
Conclusion
Injection vulnerabilities remain one of the most severe threats to web applications, often leading to data breaches, unauthorized access, and system compromise. By implementing secure coding practices, proper input validation, and security testing, organizations can significantly reduce the risk of injection attacks and protect their applications from exploitation.