保護DataHogo
Security Encyclopedia/OWASP Web Top 10
criticalCWE-89A03:2021

Injection (SQL, NoSQL, Command)

Attacker inserts malicious code into queries or commands by exploiting unsanitized user input — SQL injection, NoSQL injection, and OS command injection.

How It Works

Injection attacks occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or accessing data without authorization. SQL injection is the most common: an attacker inputs SQL syntax into a form field, and the application concatenates it directly into a query. This can dump the entire database, bypass authentication, or even execute system commands.

Vulnerable Code
const userId = req.params.id;
const result = await db.query(
  `SELECT * FROM users WHERE id = ${userId}`
);
Secure Code
const userId = req.params.id;
const result = await db.query(
  'SELECT * FROM users WHERE id = $1',
  [userId]
);

Real-World Example

The MOVEit Transfer SQL injection (CVE-2023-34362) was exploited by the Cl0p ransomware gang in 2023, compromising over 2,600 organizations and exposing data of 77+ million individuals including government agencies and Fortune 500 companies.

How to Prevent It

  • Use parameterized queries or prepared statements
  • Use an ORM like Prisma or Sequelize
  • Validate and sanitize all user input
  • Apply the principle of least privilege to database accounts

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Access Control

high

Users can act outside their intended permissions, accessing other users' data or admin functionality without proper authorization checks.

CWE-284A01:2021

Cryptographic Failures

high

Sensitive data is exposed due to weak or missing encryption — using outdated algorithms like MD5/SHA1, storing passwords in plaintext, or transmitting data without TLS.

CWE-327A02:2021

Supply Chain Failures

medium

Your application inherits vulnerabilities from third-party dependencies — outdated packages with known CVEs that attackers actively exploit.

CWE-1395A06:2021

Security Misconfiguration

medium

Default configurations, open CORS policies, debug mode in production, or verbose error messages expose your application to attackers.

CWE-16A05:2021