Injection attack identification and mitigation includes tracking characteristics of user input by a user to a computer system via input device(s), building and maintaining a user profile based on the tracking and that provides a baseline of expected characteristics of user input, the baseline defined by the tracked characteristics, monitoring input to the computer system in real time as the input is provided to the computer system, identifying, based on the monitoring and on a comparison of characteristics of the monitored input to the baseline of expected characteristics, a potential malicious code injection as part of the monitored input to the computer system, and performing mitigation processing based on identifying the potential malicious code injection.