SQL Injection

  • PCI 3.2-6.5.1
  • OWASP 2013-A1
  • CWE 89
  • WASC 19

SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.

With a successful attack, an attacker can gain:

  • Unauthorized access to an application: An attacker can successfully bypass an application's authentication mechanism to have illegitimate access to it.
  • Information disclosure: A SQL injection attack could lead to a complete data leakage from the database server.
  • Loss of data availability: An attacker can delete records from the database server.
  • Compromised data integrity: As SQL statements are also used to modify or add the record, an attacker can use SQL injection to modify or add data stored in a database. This would lead to compromised data integrity.
Remediation
  • Whitelisting is the best practice to validate input against blacklisting whenever it is practicable.
  • Do not create SQL queries with string concatenation. Instead use prepared statements or stored procedures.
References