OWASP Periodic Table of Vulnerabilities - SQL Injection
Root Cause Summary
Applications that have insufficient input validations or non-validated literal strings concatenated into a dynamic SQL Statement and subsequently interpreted as code by the SQL Engine
Browser / Standards Solution
Web Application Firewalls (WAFs) can help in reducing SQL Injection attacks by filtering popular and well known attack inputs. WAFs are driven by a set of predefined rules that can help mitigate SQL Inection attacks to a certain extent.
Generic Framework Solution
- Parametric Queries - Use parametric queries to execute any SQL commands
- Input Validation - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted characterset
- Escape Sequences - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. To provide a seperate link for this
Custom Framework Solution
Provide a common configuration functionality available to any feature/function. Configuration settings should allow multiple per-user rate limits as well as global rate limits to prevent denial of service.
Custom Code Solution
Any feature sensitive to high transaction rates should expose configurable rate limits per user or globally per feature.
Discussion / Controversy
Generic framework solution requires too much overhead to track request limits. Request rate limiting should be done in perimeter, not framework. Should combine with Denial of Service (Application-Based)? Custom Code solution is the same as Custom Framework Solution; Custom Code solution should be pushed into framework.