SQL Injection

Remediation

1. Use Object Data Models (ODMs): Instead of directly passing user input to the SQL server, use ODMs to gather and sanitize data. ODMs provide a layer of abstraction that helps prevent SQL injection vulnerabilities. For example, in a Node.js application using the Mongoose ODM, you can define a schema and use it to create and query documents in MongoDB:

   const mongoose = require('mongoose');
   const userSchema = new mongoose.Schema({
     username: String,
     password: String
   });
   const User = mongoose.model('User', userSchema);
      
   // Sanitize and save user input
   const newUser = new User({
     username: sanitize(req.body.username),
     password: sanitize(req.body.password)
   });
   newUser.save();
   

2. Use parameterized queries: Instead of concatenating user input directly into SQL statements, use parameterized queries provided by the language framework. Parameterized queries separate the SQL code from the user input, preventing SQL injection attacks. For example, in a Java application using JDBC, you can use prepared statements:

   String sql = "SELECT * FROM users WHERE username = ?";
   PreparedStatement statement = connection.prepareStatement(sql);
   statement.setString(1, sanitize(userInput));
   ResultSet resultSet = statement.executeQuery();
   

3. Avoid string concatenation on SQL statements: String concatenation should be avoided when constructing SQL statements, as it can lead to SQL injection vulnerabilities. Instead, use parameterized queries or stored procedures to handle dynamic values. For example, in a PHP application using PDO:

   $username = sanitize($_POST['username']);
   $password = sanitize($_POST['password']);
      
   $sql = "SELECT * FROM users WHERE username = :username AND password = :password";
   $statement = $pdo->prepare($sql);
   $statement->bindParam(':username', $username);
   $statement->bindParam(':password', $password);
   $statement->execute();
   

About

SQL injection vulnerabilities occur when user input is not properly sanitized or when it is directly passed to the back-end SQL server. Attackers can exploit these vulnerabilities by injecting SQL commands into the application, potentially allowing them to enumerate column names, retrieve data from the database, or even execute remote code.

Risks

The risks associated with SQL injection vulnerabilities include:

• Enumeration of column names: Attackers can use SQL injection to gather information about the database structure, such as the names of tables and columns. This information can be used for further attacks or unauthorized access.
• Data retrieval: SQL injection can allow attackers to retrieve sensitive data from the database, such as usernames, passwords, or personal information.
• Remote code execution: In some cases, SQL injection can lead to remote code execution, where an attacker can execute arbitrary code on the server, potentially gaining full control over the application and the underlying system.

It’s important to note that StackHawk tests for SQL injection vulnerabilities are often time-based, meaning the scanner tries to make the SQL server perform time-based actions to increase the response time of the application. This can help identify potential SQL injection vulnerabilities.