Skip to content

Injection Attack

Understanding Injection Attack Types

Watch How to Stop SQL Injection in Their Tracks
Table of Contents

What is injection?

Injection is #1 on the latest (2017) OWASP Top 10 list. Injection vulnerabilities allow attackers to insert malicious inputs into an application or relay malicious code through an application to another system.

What are the injection attack types?

Injection is involved in four prevalent attack types: OGNL injectionExpression Language Injectioncommand injection, and SQL injection. During an injection attack, untrusted inputs or unauthorized code are “injected” into a program and interpreted as part of a query or command. The result is an alteration of the program, redirecting it for a nefarious purpose.

Injection attacks can include calls to the operating system via system calls, the use of external programs via shell commands, or calls to backend databases using SQL (i.e., SQL injection). Whenever an application uses an interpreter, there is the risk of introducing an injection vulnerability. Whole scripts written in Perl, Python, and other languages can be injected into a poorly designed application and then executed, giving the attacker control over its behavior.

Injection attack Description
Code Injection Code injection is the term used to describe attacks that inject code into an application. That injected code is then interpreted by the application, changing the way a program executes. 
Cross-Site Scripting "Cross-site scripting" originally referred to loading the attacked, third-party web application from an unrelated attack-site, executing JavaScript in the security context of the targeted domain where cross-site data theft was the focus.
SQL Injection An SQL injection attack consists of an insertion or injection of a SQL query via the input data from the client to the application. 
OGNL injection Object-Graph Navigation Language is an open-source Expression Language (EL) for Java objects.
Expression Language Injection Expression Language Injection (aka EL Injection) enables an attacker to view server-side data and other configuration details and variables, including sensitive code and data (passwords, database queries, etc.)
Command injection With a command injection attack, the goal is to hijack a vulnerable application in order to execute arbitrary commands on the host operating system.



Learn More About Contrast Security

Contrast is the clear customers’ choice

Contrast is named a Customers’ Choice in the 2021 Gartner Peer Insights “Voice of the Customer”: Application Security Testing report. With the highest percentage of 5-star ratings, this is the third consecutive year Contrast has received this powerful endorsement from customers.


Built for Developers. Trusted by Security.


Learn Secure Code

Cross Site Scripting (XSS)


Learn about Cross site scripting (XSS) and how it affects your Java source code

SQL Injection - Java-1


Learn about SWL injection and how it affects your Java source code

Client Side Injection


Learn about client-side injection and how it can affect your source code