OWASP_TOP10A03:2021voice-validated
OWASP_TOP10 A03: A03:2021
OWASP_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Application is vulnerable when user-supplied data is not validated, filtered, or sanitised; dynamic queries or non-parameterised calls without context-aware escaping are used directly in the interpreter; hostile data is used within ORM search parameters; hostile data is directly used or concatenated in SQL/NoSQL/OS/LDAP/XPath/SMTP/IMAP/expression queries. Includes XSS as of 2021.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Attackers exploit public-facing applications through injection vulnerabilities, directly aligning with OWASP A03:2021's description of 'Application is vulnerable when user-supplied data is not validated'. | 100% |
| T1059.003 | 1. OS Command Injection, a core component of OWASP A03:2021, enables adversaries to execute commands via the Windows Command Shell, as specified by 'hostile data is directly used or concatenated in OS... queries'. | 100% |
| T1059.004 | 1. OS Command Injection, as detailed in OWASP A03:2021, allows attackers to execute commands through Unix Shells when 'hostile data is directly used or concatenated in OS... queries'. | 100% |
| T1203 | 1. Cross-Site Scripting (XSS), explicitly included in OWASP A03:2021, leads to client-side code execution by exploiting 'user-supplied data is not validated, filtered, or sanitised'. | 100% |
| T1068 | 1. Successful injection attacks, as described in OWASP A03:2021, frequently lead to privilege escalation by exploiting vulnerabilities in how 'dynamic queries or non-parameterised calls' are handled. | 90% |
| T1003 | 1. Injection vulnerabilities, particularly SQL or OS injection mentioned in OWASP A03:2021, can facilitate OS credential dumping by allowing access to sensitive system data. | 90% |
| T1083 | 1. Attackers use injection, as per OWASP A03:2021, to perform file and directory discovery, often by manipulating 'SQL/NoSQL/OS... queries' to read arbitrary files. | 100% |
| T1005 | 1. Data from local systems is collected via injection attacks, a direct consequence of 'hostile data is directly used or concatenated in SQL/NoSQL/OS... queries' as outlined in OWASP A03:2021. | 100% |
| T1071.001 | 1. Injection vulnerabilities, such as out-of-band SQLi or XSS in OWASP A03:2021, can establish Command and Control communication over web protocols by manipulating 'expression queries'. | 90% |
| T1041 | 1. Data exfiltration over C2 channels is a common outcome of successful injection attacks, where 'hostile data is directly used or concatenated' to send sensitive information out, as per OWASP A03:2021. | 90% |
| T1490 | 1. If injection leads to remote code execution, attackers can inhibit system recovery by deleting backups or critical system files, a potential impact of 'hostile data is directly used or concatenated in OS... queries' from OWASP A03:2021. | 70% |
| T1547.001 | 1. Persistence can be achieved through injection-enabled remote code execution, allowing modification of registry run keys or startup folders, a secondary effect of 'hostile data is directly used or concatenated in OS... queries' in OWASP A03:2021. | 70% |
| T1027 | 1. Attackers frequently obfuscate injection payloads to evade detection, directly related to the 'user-supplied data is not validated, filtered, or sanitised' aspect of OWASP A03:2021. | 80% |
| T1136.001 | 1. Injection vulnerabilities, particularly those leading to RCE or database manipulation, can enable attackers to create local accounts for persistence, as a result of 'hostile data is directly used or concatenated in SQL... queries' from OWASP A03:2021. | 70% |
| T1046 | 1. Network service discovery can be performed through injection, allowing attackers to map internal network services by manipulating 'SQL/NoSQL/OS... queries' as described in OWASP A03:2021. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1040 | 1. Network Intrusion Prevention Systems detect and block malicious injection payloads, directly addressing the vulnerability where 'user-supplied data is not validated, filtered, or sanitised' in OWASP A03:2021. | 100% |
| M1054 | 1. Secure software configuration prevents injection by enforcing parameterized queries and context-aware escaping, mitigating risks from 'dynamic queries or non-parameterised calls without context-aware escaping' as per OWASP A03:2021. | 100% |
| M1051 | 1. Restricting web-based content, such as implementing Content Security Policy, directly counters Cross-Site Scripting (XSS) vulnerabilities, which OWASP A03:2021 explicitly 'Includes as of 2021'. | 100% |
| M1035 | 1. Limiting access to resources minimizes the impact of successful injection attacks, ensuring that even if 'hostile data is used within ORM search parameters', sensitive data remains protected. | 90% |
| M1050 | 1. Privilege auditing reduces the scope of damage from successful injection, ensuring that compromised accounts cannot exploit 'hostile data is directly used or concatenated in SQL/NoSQL/OS/LDAP/XPath/SMTP/IMAP/expression queries' to gain excessive access. | 90% |
| M1049 | 1. Regular patch management addresses underlying software vulnerabilities that enable injection, directly preventing the 'Application is vulnerable' state described in OWASP A03:2021. | 80% |
| M1038 | 1. Network segmentation contains the blast radius of a successful injection, preventing lateral movement even if 'hostile data is directly used or concatenated in SQL/NoSQL/OS/LDAP/XPath/SMTP/IMAP/expression queries' compromises a single system. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-89 | 1. This CWE directly describes SQL Injection, a primary concern in OWASP A03:2021 where 'hostile data is directly used or concatenated in SQL... queries'. | 100% |
| CWE-79 | 1. This CWE directly describes Cross-Site Scripting (XSS), which OWASP A03:2021 explicitly 'Includes as of 2021' due to 'user-supplied data is not validated, filtered, or sanitised'. | 100% |
| CWE-78 | 1. This CWE directly describes OS Command Injection, a critical vulnerability in OWASP A03:2021 when 'hostile data is directly used or concatenated in OS... queries'. | 100% |
| CWE-90 | 1. This CWE directly describes LDAP Injection, a specific type of injection mentioned in OWASP A03:2021 where 'hostile data is directly used or concatenated in LDAP... queries'. | 100% |
| CWE-91 | 1. This CWE directly describes XPath Injection, a specific type of injection mentioned in OWASP A03:2021 where 'hostile data is directly used or concatenated in XPath... queries'. | 100% |
| CWE-20 | 1. This CWE broadly covers 'Improper Input Validation', which is the root cause when 'user-supplied data is not validated, filtered, or sanitised' as stated in OWASP A03:2021. | 100% |
| CWE-502 | 1. This CWE describes 'Deserialization of Untrusted Data', which can lead to various injection-like vulnerabilities, including 'expression queries' mentioned in OWASP A03:2021. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0202 compute · voice-rubric self-validated