1.Injection (OWASP TOP 10)

 1.Injection

*An application is vulnerable to attack when :

 * User-supplied data is not validated , filtered ,or sanitized by the application .

* Dynamic queries or non-parameterized calls without context aware escaping are used directly in the interpreter .   

* Hostile data is used within object-relational mapping (ORM) search parameters to extract additional , sensitive records.

* Hostile data is directly used or concatenated such that the SQL or command both structure and hostile data in dynamic queries ,commands ,or stored procedures.

*  Example scenario:

* An application Users untrusted data in the construction of the following vulnerable 

SQL call :

#String Query =

'SELECT*FROMaccountsWHAREcustID='''+requst.getParameter("id")+'''';

* The attacker modifies the 'id' parameters value in their browser to send : 'or'1'='1,

changing the meaing of the query .

for example:

http://[example.com]/app/accountView?id='or'1'='1