Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A03: Injection

Can someone trick your website into running their own commands?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

The classic web flaw and still common: when user-typed input gets passed directly to a database or system command, an attacker types something like '; DROP TABLE customers;-- and the database obediently does it.

Questions to ask yourself

  • Did the developer use a recognised framework with built-in protection?
  • Has the site been scanned for SQL injection?
  • Are we running a hand-rolled PHP or classic ASP site from 2015?

For owners — questions to ask your developer

Questions to ask your developer

You don't need to know what a parameterised query is — you just need to ask the right questions.

  • 01“Are parameterised queries (or the framework's ORM) used everywhere — or are we still building SQL strings by hand anywhere?”
  • 02“Has the site been scanned with OWASP ZAP or a similar tool? When? Can you run one now and share the report?”
  • 03Decision: For business-critical apps, commission a penetration test at launch (£3k–£10k) and annually after.