Store

SQL Injection

SQL Injection is a technique where by inserting specialized SQL statements into a form or entry field, an attacker is able to execute commands that makes possible the retrieval of data from the database which is not supposed to happen from the application end, the destruction of legitimate data or other modification of data.

With the SQL command injection, the unauthorized user is able to spoof the identity of a more privileged user, tampers with existing data, modifies data related to transactions and balance amounts and retrieves and/or destroys all data available in database server.

Thus in case of web application, SQL injection typically occurs over the Internet by sending malicious SQL queries to an API endpoint provided by a web applications. In a worst case SQL injection can enable an attacker to gain root access to a server, giving them complete control of the server administration.

Category:

Description

Remediation Techniques:

  • Make use of combination of parameterized queries, stored procedures, output escaping, and create whitelists for server-side input validation or escape all user supplied inputs as necessary.
  • Use database sql command controls like LIMIT / ROWNUM / TOP in case of different database vendors to prevent all data disclosure in case of a successful injection attack.
  • Enforce/assign least privileges to the application instance running on server to execute the sql commands against it thus preventing the heavy privilege escalation [Like gaining root access] which will not occur in case of successful injection attack.

Related products