Injection Attacks Beyond SQL FAQ & Answers

NoSQL Injection: MongoDB, CouchDB, Redis injection via unvalidated queries. Example: db.users.find({username: req.body.username}) with body {username: {$ne: null}} → bypasses authentication by finding any user where username is not null. Prevention: Use query builders, validate input types (reject objects when expecting strings), avoid string concatenation in queries. MongoDB example: use mongoose schema validation, explicitly define query structure. Framework protections help but validation still required.

OS Command Injection (CWE-78): Shell commands with unsanitized user input. Example: exec('ping ' + req.query.host) with host=8.8.8.8; rm -rf / → arbitrary command execution. Prevention: Avoid shell commands entirely, use language APIs (Node.js dns.resolve vs ping command), input validation with allowlists (alphanumeric only), least privilege execution (don't run as root). Testing tools: OWASP ZAP, Burp Suite Intruder, commix. Always prefer language APIs over shell execution.

LDAP Injection: Manipulating LDAP queries. Example: (uid=userInput) with input=)(uid=))(|(uid=* → returns all users. Prevention: Escape LDAP special chars (*, (, ), , /, NULL), use parameterized LDAP APIs. XPath Injection: XML query manipulation. Example: //users/user[username='input'] with input=' or '1'='1 → authentication bypass. Prevention: Parameterized XPath queries, input validation, use XPath variables instead of string concatenation. Both exploit unsanitized input in query languages.

Server-Side Template Injection (SSTI): Flask/Jinja2, Django templates, Freemarker, Velocity exploitation. Expression Language (EL) Injection example: ${user.name} with name=${7*7} → code execution. SSTI example: render_template_string(request.args.get('name')) with name={{config}} → leak secrets, access config vars. Prevention: Never render user input as templates, use template sandboxes, disable expression evaluation on user input, use safe template modes. Framework-specific: Flask (never use render_template_string with user input), Django (avoid {% debug %} in production). CWE-917 (Expression Language Injection).

ORM Injection: Bypassing parameterization in ORMs. Example: User.where('email = ' + params[:email]) (Ruby on Rails) → SQL injection despite using ORM. Prevention: Use ORM query builders (User.where(email: params[:email])), never string interpolation in queries. Log Injection (CWE-117): Injecting newlines/ANSI codes into logs. Example: logger.info('User login: ' + username) with username=admin\n[CRITICAL] Fake log entry → log forgery. Prevention: Remove newlines/ANSI escape codes, use structured logging (JSON format), sanitize before logging. Both exploit string concatenation vulnerabilities.

Universal prevention (2025): (1) Parameterized queries/APIs - always use prepared statements, never concatenate user input into commands/queries, (2) Allow-list validation - define allowed characters/patterns (alphanumeric only for IDs), reject anything outside allowlist, (3) Escape special characters - context-specific escaping (SQL: ', HTML: <>, Shell: ;|&), (4) Least privilege - database user cannot drop tables, application cannot execute shell commands, limited file system access, (5) Input validation - type checking (expect integer, reject string), length limits, format validation (email, UUID). Framework protections: Django ORM (auto-parameterized), Hibernate (HQL parameters), sqlalchemy (bound parameters). OWASP Top 10 A03:2021, PCI-DSS 6.5.1.