VC100A03:2021·CWE-611

Insecure XML processing

About A03:2021Injection

Injection happens when user input is concatenated directly into SQL queries, shell commands, HTML, or any other interpreter. SQL injection has been #1 or #2 on the OWASP Top 10 since the list was created in 2003 — it's the oldest class of web bug that still ships every week.

Impact: SQL injection: attacker reads or modifies your entire database. Command injection: attacker runs arbitrary shell commands on your server. XSS: attacker steals session cookies and impersonates other users. Each one is typically a critical-severity finding.

How to fix it: Always use parameterized queries (prepared statements) for SQL. Never use template literals or string concatenation with user input in queries. For HTML output, use your framework's auto-escaping. For shell commands, use APIs that take an array of arguments instead of `exec()` with a string.

Common patterns in this category:

  • SQL queries built with string concatenation or template literals
  • `child_process.exec()` called with user input concatenated into the command
  • `dangerouslySetInnerHTML` with user-controlled data
  • `eval()` or `Function()` called with user input
  • `innerHTML` assignment without sanitization

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC6.8, CC7.1
ISO 27001
A.8.28, A.8.25
OWASP Top 10
A03:2021Injection
CWE
CWE-611

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC100 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A03:2021

← All security rules
VC100: Insecure XML processing | XploitScan Rules