CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
SQL injection occurs when an end-user leverages the client-side interface to provide input that is then used as part of a SQL command that the application executes.
Why SQL injection vulnerabilities are problematic
With SQL injection attacks, an unauthorized user could:
- Read from the database
- Modify the database
- Execute administrative operations against the database (e.g., drop tables)
- Gain control of the operating system for the workstation on which the database is hosted
How SQL injection vulnerabilities occur
SQL injections can occur if the application accepts user input and uses it to create a SQL command. Areas where users can supply input include form fields and search bars.
If the user-provided input isn’t escaped or sanitized, they may provide unexpected input that changes the application’s behavior. For example, if the application asks for the user’s name, but the user provides the following instead:
myName’ UNION SELECT * FROM users —
Then the command that’s executed against the database is:
SELECT firstName FROM users WHERE user_name = ‘myName’ UNION SELECT TOP 100 * FROM users —
What results is that the user gains data instead of the application accepting the person’s name as expected.
Mitigating SQL injection vulnerabilities
To reduce exposure to SQL Command injection vulnerabilities:
- Escape user-supplied input that will be used in a SQL statement
- Create an allowlist of acceptable input and check all user-supplied input against this list
- Use prepared statements with parameterized queries to handle data and ensure that a malicious party cannot change the intent of the SQL query
- Use stored procedures to parameterize input before they’re used in SQL queries automatically
- Create an account with limited privileges that the application uses to run SQL queries (e.g., this account does not need database administrator privileges)
- Use libraries or frameworks to implement functionality alongside protection against SQL injection attacks
TL;DR
CWE-89 refers to SQL injection attacks, which occur when raw user input is used to create a SQL query, allowing a malicious party to change the query’s intent. SQL injections are easily found and commonly exploited.
Top comments (0)