Input Validation / SQL Server Injection

Description

SQL Server Injection is a type of injection attack that targets the backend databases of web applications and APIs. This attack exploits the vulnerability in the way user input is interpreted by the server. The Common Weakness Enumeration (CWE) directory classifies this vulnerability as CWE-89. According to the OWASP Testing Guide, these types of vulnerabilities can be identified through manual testing and source code analysis.

Risk

The risk of this vulnerability is that malicious code can be injected into the server and executed, allowing access to sensitive data and allowing for malicious actions to be executed without authorization. This type of attack can lead to data loss, spoofing, privilege escalation and denial of service.

Solution

The best way to prevent this type of attack is to ensure that all user input is validated. This includes checking input for malicious code and properly encoding data before passing it to the server. Additionally, developers should use parameterized queries to prevent malicious code from being injected into the server.

Example

The following code block is an example of a SQL injection vulnerability taken from the CVE directory.

String query = "SELECT * FROM users WHERE username = '" + request.getParameter("username") + "' AND password = '" + request.getParameter("password") + "'";
Statement statement = connection.createStatement(query);
ResultSet results = statement.executeQuery(query);

In this code, user input is not properly validated or encoded, allowing a malicious user to inject malicious code into the query.