Difference between revisions of "OWASP Periodic Table of Vulnerabilities - SQL Injection"

From OWASP
Jump to: navigation, search
(Generic Framework Solution)
(Root Cause Summary)
Line 3: Line 3:
  
 
=== Root Cause Summary ===
 
=== Root Cause Summary ===
Applications that have insufficient input validations and allow an external user to manipulate the SQL commands and retrieve results that would result in a compromise of the data.
+
Applications that have insufficient input validations or non-validated literal strings concatenated into a dynamic SQL Statement and subsequently interpreted as code by the SQL Engine
  
 
=== Browser / Standards Solution ===
 
=== Browser / Standards Solution ===

Revision as of 01:58, 6 May 2013

Contents

SQL Injection

Root Cause Summary

Applications that have insufficient input validations or non-validated literal strings concatenated into a dynamic SQL Statement and subsequently interpreted as code by the SQL Engine

Browser / Standards Solution

None

Perimeter Solution

Web Application Firewalls (WAFs) can help in reducing SQL Injection attacks by filtering popular and well known attack inputs. WAFs are driven by a set of predefined rules that can help mitigate SQL Inection attacks to a certain extent.


Complexity: High
Impact: High

Generic Framework Solution

  • Parametric Queries - Use parametric queries to execute any SQL commands
  • Input Validation - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted characterset
  • Escape Sequences - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. To provide a seperate link for this

Complexity: Low
Impact: High

Custom Framework Solution

Provide a common configuration functionality available to any feature/function. Configuration settings should allow multiple per-user rate limits as well as global rate limits to prevent denial of service.

Complexity: Low
Impact: High

Custom Code Solution

Any feature sensitive to high transaction rates should expose configurable rate limits per user or globally per feature.

Complexity: Low
Impact: High

Discussion / Controversy

Generic framework solution requires too much overhead to track request limits. Request rate limiting should be done in perimeter, not framework. Should combine with Denial of Service (Application-Based)? Custom Code solution is the same as Custom Framework Solution; Custom Code solution should be pushed into framework.

References

Insufficient Anti-automation (WASC TC)
Brute Force (WASC TC)
Testing for Brute Force (OWASP Testing Guide)