Injection attacks are a type of web-based application attack that exploit the lack of proper input validation and output encoding or escaping. Injection attacks allow an attacker to inject malicious code or commands into the application, such as SQL, LDAP, OS, or HTML code, and execute them on the server or the client side. To prevent injection attacks, the best strategy is to whitelist input and encode or escape output before it is processed for rendering. Whitelisting input means that the application only accepts input that matches a predefined set of criteria, such as data type, length, format, or range, and rejects any input that does not meet these criteria. Encoding or escaping output means that the application converts any potentially dangerous characters or symbols in the output, such as <, >, &, or ', into harmless representations, such as <, >, &, or ', before sending them to the browser or the database. This prevents the output from being interpreted as code or commands by the browser or the database. Not storing sensitive unencrypted data on the back end, limiting privileged access or hard-coding logon credentials, and storing sensitive data in a buffer that retains data in OS cache or memory are not effective strategies to prevent injection attacks, and may introduce other security risks. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 778. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 8, Software Development Security, page 839.
