katyanton
commented
3 years ago 👍 on this one - to remove "Limit" as control for injection
Open wireghoul opened 5 years ago
katyanton
commented
3 years ago 👍 on this one - to remove "Limit" as control for injection
jmanico
commented
3 years ago Very well said Katy! +1!
phyushin
commented
2 years ago 👍 for this being removed it's a bit misleading
bsmelo
commented
2 years ago Hi guys, any news on this one?
This LIMIT clause issue reached me in a rather curious manner. The OWASP Top 10 is a recurring topic for IT roles in Civil Service Examinations in Brazil. Recently, in one of the major nationwide exams, "Using LIMIT to prevent SQL Injection" was given as the correct answer to one of the questions. The first thing I thought was "Well, there's no way this can be correct"; but then a friend pointed me to the OWASP Top 10 page as the reference used by the examiners. And it's still there in the 2021 version.
Since a simple counterexample can be built with SELECT * FROM Users WHERE user_id = :user_id LIMIT 1; as the supposedly "mass disclosure-protected query" and 1 OR 1=1;-- as the attack string, the statement is clearly misleading.
jmanico
commented
2 years ago +1
phyushin
commented
2 years ago +1
Top 10-2017 A1-Injection says:
This statement is problematic in that if an attacker is able to insert syntax into the SQL statement then they can simply bypass the
LIMITclause by injecting a comment, stacking queries, etc. This is due to theLIMITstatement occurring last in SQL syntax.While there may be cases where the attacker is limited in syntax and the
LIMITstatement has some effect it seems rather pointless to recommend this without also recommending things that will lead to detection. This is primary screen real estate spent on a very ineffective control instead of a better control or even addressing one of the other attacks that are also listed on the page, but has no additional information:Cheers!