Security Dashboard: SQL Injection (CWE 89) - 2 vulnerabilities detected

[NormanWenzelWSS]

Vulnerability Description

SQL Injection vulnerability occurs when a user input is used in the construction of an SQL query without proper user input string neutralization (sanitization). A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown of the DBMS), recover the content of a given file present on the DBMS file system or in some cases issue commands to the operating system

Compliance Standard Violations

• PCI DSS: PCI DSS 6.5.1 - Injection Flaws
• NIST: SI-10: Information Input Validation
• OWASP Top 10: A1: Injection
• HIPAA: 164.312 (a)(1): Standard: Access control
• HITRUST: 10.b - Input Data Validation (Level 1 Implementation)
• CAPEC: CAPEC-66: SQL Injection

Vulnerabilities

File	Line	Severity	Remediation Available
org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java aaa	63	Medium	❌
org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java	58	High	✅

Details

org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson4.java:63

### Snippet

Suppress Vulnerability

### Remediation Recommondations

Using prepared statements (with parameterized queries)

Correct filtering (escaping) of string literal escape characters in SQL statements, like single quote ('), double quote ("), backslash (\) and the NULL byte

Checking parameters for valid representation for the give type (integer, float or boolean)

Correct database permissions on logon, which restricts web application or user access to unnecessary data

org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java:58

### Snippet

Suppress Vulnerability

### Remediation Suggestion

Create PR

Suppressed Vulnerabilities

• [ ] org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java:65