A code injection technique that allows an attacker to make arbritrary calls
to the backend database.
Capabilities and Risk
SQL Injection allows an attacker to access entries in the application database
and in some cases write to the database which can lead to code execution on
the server.
It can lead to partial or complete loss of the database entries and in
the worst case scenario allow an attacker to gain a foothold on the machine.
Detection
Identify where user input being used as data for a database call (i.e. username)
Attempt to inject SQL meta-characters and commands to modify/create a query in order to view the database contents
Remediation
Properly sanatize all database calls using both a whitelist of known good input and blacklist of potentially dangerous meta characters and functions.
/ Title: SQL Injection Description: SQL Injection SQLi database vulnerability /
Summary
A code injection technique that allows an attacker to make arbritrary calls to the backend database.
Capabilities and Risk
SQL Injection allows an attacker to access entries in the application database and in some cases write to the database which can lead to code execution on the server.
It can lead to partial or complete loss of the database entries and in the worst case scenario allow an attacker to gain a foothold on the machine.
Detection
Remediation
Properly sanatize all database calls using both a whitelist of known good input and blacklist of potentially dangerous meta characters and functions.
References