Advanced SQL Injection

This detector identifies advanced SQL injection vulnerabilities where the application appears susceptible to database query manipulation through specially crafted input payloads. The vulnerability allows attackers to inject malicious SQL commands that the database executes as part of the application’s intended queries.

SQL injection enables attackers to manipulate database queries by injecting malicious SQL code through user input fields. Successful exploitation allows complete database compromise, including unauthorized data extraction, modification, or deletion. Attackers can bypass authentication, escalate privileges, execute administrative operations, and potentially gain operating system command execution on the database server. The vulnerability results from applications directly concatenating untrusted input into SQL queries without proper validation or parameterization.

Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side. If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?' If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries. If database Stored Procedures can be used, use them. Do not concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality! Do not create dynamic SQL queries using simple string concatenation. Escape all data received from the client. Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input. Apply the privilege of least privilege by using the least privileged database user possible. In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact. Grant the minimum database access that is necessary for the application.