Difference between revisions of "OWASP Periodic Table of Vulnerabilities - SQL Injection"

From OWASP
Jump to: navigation, search
(Discussion / Controversy)
(References)
Line 41: Line 41:
  
 
=== References ===
 
=== References ===
[http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation Insufficient Anti-automation (WASC TC)]<br>
 
[http://projects.webappsec.org/w/page/13246915/Brute%20Force Brute Force (WASC TC)]<br>
 
[[Testing for Brute Force (OWASP-AT-004)| Testing for Brute Force (OWASP Testing Guide)]]<br>
 

Revision as of 10:39, 6 May 2013

Contents

SQL Injection

Root Cause Summary

Applications that have insufficient input validations or non-validated literal strings concatenated into a dynamic SQL Statement and subsequently interpreted as code by the SQL Engine

Browser / Standards Solution

None

Perimeter Solution

Web Application Firewalls (WAFs) can help in reducing SQL Injection attacks by filtering popular and well known attack inputs. WAFs are driven by a set of predefined rules that can help mitigate SQL Inection attacks to a certain extent.


Complexity: High
Impact: High

Generic Framework Solution

  • Parametric Queries - Use parametric queries to execute any SQL commands
  • Input Validation - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted characterset
  • Escape Sequences - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. [ To provide a seperate link for this ]

Complexity: Low
Impact: High

Custom Framework Solution

Complexity: Medium
Impact: High

Custom Code Solution

  • When building custom solutions, make sure that SQL queries are not constructed dynamically with the table names and views. If that is unavoidable, validate the schema and the table/view names before constructing the SQL query.
  • As a precuationay measure, ensure that the tables have appropriate access control through policies
  • Whenever possible, when building custom solutions, use the underlying databases prepared queries library.

Complexity: High
Impact: High

Discussion / Controversy

References