█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/Input Validation and Injection Attacks
50 minIntermediate

Input Validation and Injection Attacks

After this lesson, you will be able to: Identify and prevent SQL injection, cross-site scripting (XSS), and command injection, the three classic injection attacks.

All injection attacks share the same root cause: untrusted input gets concatenated into a command interpreted by something else (a database, a browser, a shell). Fix the root cause and you fix all three at once.

Prerequisites:OWASP Top 10

SQL injection, the canonical example

User-controlled string concatenated into a query.

tsx
# VULNERABLE
query = "SELECT * FROM users WHERE name = '" + name + "'"
# Input: alice' OR '1'='1
# Result: SELECT * FROM users WHERE name = 'alice' OR '1'='1', returns every user
# FIXED, parameterized query
cursor.execute("SELECT * FROM users WHERE name = %s", (name,))

XSS, injecting JavaScript into a webpage

Untrusted input rendered as HTML.

html
// VULNERABLE
element.innerHTML = '<p>Hello, ' + userName + '</p>';
// Input: <script>fetch('/api/cookies').then(...)</script>
// Result: the script runs in the victim's browser
// FIXED, set as text, not HTML
element.textContent = 'Hello, ' + userName;
// Or use a templating engine that escapes by default (React, Vue)

Command injection, input run in a shell

User-controlled string appended to a system call.

python
# VULNERABLE
import os
os.system("ping " + ip)
# Input: 8.8.8.8; rm -rf /
# Result: both commands execute
# FIXED, pass as args list, no shell
import subprocess
subprocess.run(["ping", "-c", "1", ip], check=True)

💡 The single rule that prevents all three

Never construct queries, HTML, or shell commands by string concatenation with untrusted input. Use parameterized APIs (prepared statements, textContent, subprocess args). The framework handles escaping correctly so you don't have to.

Try it on PicoCTF

Real injection challenges in a safe legal environment.

  1. 1

    Sign in to PicoCTF

  2. 2

    Filter the Web Exploitation challenges by difficulty: Easy

  3. 3

    Pick a SQL injection challenge

  4. 4

    Use the browser's developer tools to inspect requests

  5. 5

    Find the injectable parameter and exfiltrate the flag

Quick Check

What's the right defense against XSS?

Choose the most effective answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←OWASP Top 10
Back to Application Security
Authentication and Session Security in Applications→