Injection (Web)
What Injection means
Injection happens when user-controlled input is treated as instructions instead of data. The input crosses a trust boundary and reaches an interpreter.
Interview one-liner: “Injection is untrusted input reaching an interpreter without proper separation. I first identify sinks, confirm execution context, then demonstrate minimal impact and recommend parameterization or contextual encoding.”
Injection categories
- SQL Injection Database interpreter
- Cross-Site Scripting (XSS) Browser / JS engine
- Server-Side Request Forgery (SSRF) HTTP client boundary
- XML External Entity (XXE) XML parser
- Command Injection OS / shell execution boundary
- SSTI (Server-Side Template Injection) Template engine boundary
- NoSQL Injection NoSQL query interpreter
- LDAP Injection Directory / LDAP filter interpreter
- Xpath Injection XML / XPath interpreter
- CRLF Injection Response header injection, response splitting, proxy quirks
- EL Injection When user input becomes server-side expressions
- ReDos User-controlled regex; catastrophic backtracking (DoS)
How to think about injection
| Step | What you analyze | Why it matters |
|---|---|---|
| 1. Input source | Where user input enters the system | Defines attacker control |
| 2. Sink | Interpreter / parser / executor | Determines injection class |
| 3. Context | Query, template, URL, entity | Controls exploitability |
| 4. Defense | Parameterization, encoding, allow-list | Prevents recurrence |
For interview preparation and