This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - SQL Injection"
(→Root Cause Summary) |
(→Generic Framework Solution) |
||
| Line 19: | Line 19: | ||
* '''Parametric Queries''' - Use parametric queries to execute any SQL commands | * '''Parametric Queries''' - Use parametric queries to execute any SQL commands | ||
* '''Input Validation''' - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted characterset | * '''Input Validation''' - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted characterset | ||
| − | * '''Escape Sequences''' - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. [[To provide a seperate link for this]] | + | * '''Escape Sequences''' - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. [ [[To provide a seperate link for this]] ] |
Complexity: Low<br> | Complexity: Low<br> | ||
Revision as of 07:04, 6 May 2013
SQL Injection
Root Cause Summary
Applications that have insufficient input validations or non-validated literal strings concatenated into a dynamic SQL Statement and subsequently interpreted as code by the SQL Engine
Browser / Standards Solution
None
Perimeter Solution
Web Application Firewalls (WAFs) can help in reducing SQL Injection attacks by filtering popular and well known attack inputs. WAFs are driven by a set of predefined rules that can help mitigate SQL Inection attacks to a certain extent.
Complexity: High
Impact: High
Generic Framework Solution
- Parametric Queries - Use parametric queries to execute any SQL commands
- Input Validation - Validate all inputs that are passed to the SQL statement for accuracy of datatypes, boundary limits and accepted characterset
- Escape Sequences - In cases where it is not possible to use parametric queries (like legacy code), ensure that the SQL engine sensitive characters are escaped appropriately. [ To provide a seperate link for this ]
Complexity: Low
Impact: High
Custom Framework Solution
Provide a common configuration functionality available to any feature/function. Configuration settings should allow multiple per-user rate limits as well as global rate limits to prevent denial of service.
Complexity: Low
Impact: High
Custom Code Solution
Any feature sensitive to high transaction rates should expose configurable rate limits per user or globally per feature.
Complexity: Low
Impact: High
Discussion / Controversy
Generic framework solution requires too much overhead to track request limits. Request rate limiting should be done in perimeter, not framework. Should combine with Denial of Service (Application-Based)? Custom Code solution is the same as Custom Framework Solution; Custom Code solution should be pushed into framework.
References
Insufficient Anti-automation (WASC TC)
Brute Force (WASC TC)
Testing for Brute Force (OWASP Testing Guide)
