HawkScan Test Info for SQL Injection - Hypersonic SQL - Time Based

SQL Injection - Hypersonic SQL - Time Based

Reference

Plugin Id: 40020 | CWE: 89

Remediation

  1. Use built-in Object Data Models (ODMs) to gather data: Instead of directly concatenating user input into SQL queries, use ODMs provided by your programming language or framework to interact with the database. ODMs handle the necessary sanitization and parameterization of user input, reducing the risk of SQL injection vulnerabilities. For example, in Node.js with MongoDB, you can use Mongoose as an ODM:

    const mongoose = require('mongoose');
    const User = mongoose.model('User');
    
    // Example of using an ODM to query the database
    const username = req.body.username;
    const user = await User.findOne({ username });
    
  2. Use parameterized queries: Instead of concatenating user input directly into SQL statements, use parameterized queries or prepared statements. Parameterized queries separate the SQL code from the user input, preventing SQL injection attacks. Here’s an example in Java using JDBC:

    String sql = "SELECT * FROM users WHERE username = ?";
    PreparedStatement statement = connection.prepareStatement(sql);
    statement.setString(1, username);
    ResultSet resultSet = statement.executeQuery();
    
  3. Avoid string concatenation on SQL statements: Do not directly concatenate user input into SQL statements in your code. This can lead to SQL injection vulnerabilities. Instead, use parameterized queries or ODMs as mentioned above.

About

SQL injection vulnerabilities occur when user input is not properly sanitized or when it is directly passed to the back-end SQL server. Attackers can exploit these vulnerabilities by injecting malicious SQL commands into the application.

Risks

  1. Enumeration of column names: An attacker can use SQL injection to enumerate the column names in the database, gaining insights into the database structure and potentially identifying sensitive information.

  2. Data retrieval from the database: SQL injection can allow an attacker to retrieve data from the database that they are not authorized to access. This can lead to unauthorized disclosure of sensitive information.

  3. Remote code execution: In some cases, SQL injection vulnerabilities can be leveraged to execute arbitrary code on the server, leading to full compromise of the application and potentially the underlying system. This can result in unauthorized access, data breaches, and other malicious activities.