MCP Security Alert: MarkItDown, Archon OS, Kubectl MCP
Read the Latest Research
Open Software Supply Chain Attack Reference (OSC&R) > T0117 - SQL injection

Realms:

Code Security

T0117 - SQL injection

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. Successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
ID: T0117
Type: Technique
Tactic: Execution
Summary: SQL injection
State: Draft

Mitigations

ID
TYPE
SUMMARY
DESCRIPTION
M1170
Mitigation
Mitigation Use parameterized queries A parameterized query is a query in which placeholders are used for parameters and the parameter values are supplied at execution time.
Parameterized queries ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. Note that parametrized queries should be done on the server-side. Every language supports their own constructions, please use the references to find appropriate mechanism for your technologies.
M1171
Mitigation
Mitigation Use stored procedures A stored procedure is a set of Structured Query Language (SQL) statements with an assigned name, which are stored in a database, so it can be reused and shared by multiple applications.
A stored procedure provides an important layer of security between the user interface and the database. It supports security through data access controls because end users may enter or change data, but do not write procedures. A stored procedure preserves data integrity because information is entered in a consistent manner. Note that safely implemented stored procedure does not include any unsafe dynamic SQL generation.
M1172
Mitigation
Mitigation Use allow-list input validation Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering malfunction of various downstream components.
Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the external party. Allow list validation is appropriate for all input fields provided by the user. Allow list validation involves defining exactly what IS authorized, and by definition, everything else is not authorized.
M1173
Mitigation
Mitigation Escape all user supplied input This technique should only be used as a last resort, when none of the above are feasible.
Escape user input before putting it in a query. Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities.
M1883
Mitigation
Mitigation Implement Web Application Firewall A web application firewall (WAF) is a security control that is designed to protect web applications from various types of cyber threats, such as web-based attacks, including Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and other application-layer attacks.
A WAF acts as a filter between a web application and the incoming requests from clients, such as web browsers or mobile apps. It examines the incoming requests and responses to and from the web application, and applies a set of predefined security rules to identify and block malicious requests or traffic.

Detections

ID
TYPE
SUMMARY
DESCRIPTION
D1170
Detection
Detection Configure application audit logs to detect injection attacks Audit logs can help you to monitor application traffic in order to detect injection attacks.
Audit logs can be configured on multiple layers, for example you can enable access logging for a web server or use your custom application events. Monitor for SQL-like, javascript code, shell command constructions inside the application requests, also check for multiple error events in application logs. Create an allow-list of commands and monitor for the attempts of using the commands out of this list.
D1171
Detection
Mitigation Implement Web Application Firewall A web application firewall (WAF) is a security control that is designed to protect web applications from various types of cyber threats, such as web-based attacks, including Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and other application-layer attacks.
A WAF acts as a filter between a web application and the incoming requests from clients, such as web browsers or mobile apps. It examines the incoming requests and responses to and from the web application, and applies a set of predefined security rules to identify and block malicious requests or traffic.

References

  1. https://www.spiceworks.com/it-security/application-security/articles/what-is-sql-injection/
  2. https://owasp.org/www-community/attacks/SQL_Injection
  3. https://portswigger.net/web-security/sql-injection
Group 1000004924

OSC&R Threat Report Uncovers Urgent Software Supply Chain Risks

AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
Download Report Download