HawkScan Test Info for SQL Injection - SQLite

SQL Injection - SQLite

Reference

Plugin Id: 40024 | CWE: 89

Remediation

  1. Use Object Data Models (ODMs): Instead of directly passing user input to the SQL server, use ODMs to gather and sanitize data. ODMs provide a layer of abstraction that helps prevent SQL injection vulnerabilities.

    Example using an ODM in Python with SQLAlchemy:

    from sqlalchemy import Column, Integer, String
    from sqlalchemy.ext.declarative import declarative_base
    
    Base = declarative_base()
    
    class User(Base):
        __tablename__ = 'users'
    
        id = Column(Integer, primary_key=True)
        username = Column(String)
        password = Column(String)
    
  2. Use parameterized queries: Instead of concatenating user input directly into SQL statements, use parameterized queries provided by the language framework. Parameterized queries separate the SQL code from the user input, preventing SQL injection attacks.

    Example using parameterized queries in PHP with PDO:

    $username = $_POST['username'];
    $password = $_POST['password'];
    
    $stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username AND password = :password');
    $stmt->bindParam(':username', $username);
    $stmt->bindParam(':password', $password);
    $stmt->execute();
    
  3. Avoid string concatenation in SQL statements: Instead of directly concatenating user input into SQL statements, use prepared statements or stored procedures to handle dynamic queries. This helps prevent SQL injection by ensuring that user input is properly escaped and treated as data, not executable code.

    Example using prepared statements in Java with JDBC:

    String username = request.getParameter("username");
    String password = request.getParameter("password");
    
    String sql = "SELECT * FROM users WHERE username = ? AND password = ?";
    PreparedStatement statement = connection.prepareStatement(sql);
    statement.setString(1, username);
    statement.setString(2, password);
    ResultSet resultSet = statement.executeQuery();
    

About

SQL injection vulnerabilities occur when user input is not properly sanitized and is directly passed to the back-end SQL server. Attackers can exploit this vulnerability by injecting SQL commands into the application.

Risks

The risks associated with SQL injection vulnerabilities include:

  • Enumeration of column names: Attackers can use SQL injection to gather information about the database structure, including column names, which can aid in further attacks.
  • Data retrieval from the database: Attackers can manipulate SQL queries to retrieve sensitive data from the database, such as usernames, passwords, or other confidential information.
  • Remote code execution: In some cases, SQL injection vulnerabilities can allow attackers to execute arbitrary code on the server, leading to complete compromise of the application and potentially the underlying system.

It’s important to note that StackHawk tests for SQL injection vulnerabilities are often time-based, meaning the scanner attempts to perform actions that increase the response time of the application’s SQL server.