SQL Injection
- PCI 3.2-6.5.1
- OWASP 2013-A1
- CWE 89
- WASC 19
SQL Injection is an attack technique used to exploit applications that construct SQL statements from user-supplied input. When successful, the attacker is able to change the logic of SQL statements executed against the database.
With a successful attack, an attacker can gain:
- Unauthorized access to an application: An attacker can successfully bypass an application's authentication mechanism to have illegitimate access to it.
- Information disclosure: A SQL injection attack could lead to a complete data leakage from the database server.
- Loss of data availability: An attacker can delete records from the database server.
- Compromised data integrity: As SQL statements are also used to modify or add the record, an attacker can use SQL injection to modify or add data stored in a database. This would lead to compromised data integrity.
Remediation
- Whitelisting is the best practice to validate input against blacklisting whenever it is practicable.
- Do not create SQL queries with string concatenation. Instead use prepared statements or stored procedures.