Skip to end of metadataGo to start of metadata
SQL Injection Prevention Cheat Sheet Introduction Primary Defenses Defense Option 1: Prepared Statements (with Parameterized Queries) Defense Option 2: Stored Procedures Defense Option 3: Allow-list Input Validation Defense Option 4: Escaping All User-Supplied Input Database Specific Escaping Details Oracle Escaping Escaping Dynamic Queries. Use of the Entity Framework is a very effective SQL injection prevention mechanism. Remember that building your own ad hoc queries in Entity Framework is just as susceptible to SQLi as a plain SQL query. When using SQL Server, prefer integrated authentication over SQL authentication.
A1 Injection
- Injection Prevention Cheat Sheet Introduction. This article is focused on providing clear, simple, actionable guidance for preventing the entire category of Injection flaws in your applications. Injection attacks, especially SQL Injection, are unfortunately very common.
- The most famous form of injection is SQL Injection where an attacker can modify existing database queries. For more information see the SQL Injection Prevention Cheat Sheet. But also LDAP, SOAP, XPath and REST based queries can be susceptible to injection attacks allowing for data retrieval or control bypass.
- OWASP SQL Injection Prevention Cheat Sheet OWASP Query Parameterization Cheat Sheet OWASP Command Injection Article OWASP XML eXternal Entity (XXE) Reference Article ASVS: Output Encoding/Escaping Requirements (V6) OWASP Testing Guide: Chapter on SQL Injection Testing External CWE Entry 77 on Command Injection CWE Entry 89 on SQL Injection.
This page was based on OWASP reference materials.
A1.1 SQL Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Primary Defenses:
1.Prepared Statements (with Parameterized Queries)
The following code example uses a PreparedStatement, Java’s implementation of a parameterized query, to execute the same database query.
1.1. Safe Java Prepared Statement ExampleThe following code example uses a PreparedStatement, Java's implementation of a parameterized query, to execute the same database query.
h5. 1.2. Hibernate Query Language (HQL) Prepared Statement (Named Parameters) Examples
First is anunsafe HQL Statement
Here is a safe version of the same query using named parameters:
Defense Option 2: Stored Procedures
Defense Option 3: White List Input Validation
Various parts of SQL queries aren't legal locations for the use of bind variables, such as the names of tables or columns, and the sort order indicator (ASC or DESC). In such situations, input validation or query redesign is the most appropriate defense. For the names of tables or columns, ideally those values come from the code, and not from user parameters. But if user parameter values are used to make different for table names and column names, then the parameter values should be mapped to the legal/expected table or column names to make sure unvalidated user input doesn't end up in the query. Please note, this is a symptom of poor design and a full re-write should be considered if time allows. Here is an example of table name validation.
The tableName can then be directly appended to the SQL query since it is now known to be one of the legal and expected values for a table name in this query. Keep in mind that generic table validation functions can lead to data loss as table names are used in queries where they are not expected.
For something simple like a sort order, it would be best if the user supplied input is converted to a boolean, and then that boolean is used to select the safe value to append to the query. This is a very standard need in dynamic query creation. For example:
Any time user input can be converted to a non-String, like a date, numeric, boolean, enumerated type, etc. before it is appended to a query, or used to select a value to append to the query, this ensures it is safe to do so.
Input validation is also recommended as a secondary defense in ALL cases, even when using bind variables as is discussed later in this article. More techniques on how to implement strong white list input validation is described in the Input Validation Cheat Sheet.
Defense Option 4: Escaping All User Supplied Input
This second technique is to escape user input before putting it in a query. However, this methodology is frail compared to using parameterized queries and we cannot guarantee it will prevent all SQL Injection in all situations. This technique should only be used, with caution, to retrofit legacy code in a cost effective way. Applications built from scratch, or applications requiring low risk tolerance should be built or re-written using parameterized queries.
This technique works like this. Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities.
https://www.securecoding.cert.org/confluence/display/java/IDS51-J.+Properly+encode+or+escape+output3.1 Use ESAPI database encoders for:
3.2 Escaping Dynamic Queries: Turn off character replacement
The LIKE keyword allows for text scanning searches. In Oracle, the underscore '_' character matches only one character, while the ampersand '%' is used to match zero or more occurrences of any characters. These characters must be escaped in LIKE clause criteria. For example:
* *SQL Injection Best Practices
Least Privilege
To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. Do not assign DBA or admin type access rights to your application accounts. We understand that this is easy, and everything just ‘works’ when you do it this way, but it is very dangerous. Start from the ground up to determine what access rights your application accounts require, rather than trying to figure out what access rights you need to take away. Make sure that accounts that only need read access are only granted read access to the tables they need access to. If an account only needs access to portions of a table, consider creating a view that limits access to that portion of the data and assigning the account access to the view instead, rather than the underlying table. Rarely, if ever, grant create or delete access to database accounts.
If you adopt a policy where you use stored procedures everywhere, and don’t allow application accounts to directly execute their own queries, then restrict those accounts to only be able to execute the stored procedures they need. Don’t grant them any rights directly to the tables in the database.
SQL injection is not the only threat to your database data. Attackers can simply change the parameter values from one of the legal values they are presented with, to a value that is unauthorized for them, but the application itself might be authorized to access. As such, minimizing the privileges granted to your application will reduce the likelihood of such unauthorized access attempts, even when an attacker is not trying to use SQL injection as part of their exploit.
Owasp Top 10 Cheat Sheet
While you are at it, you should minimize the privileges of the operating system account that the DBMS runs under. Don't run your DBMS as root or system! Most DBMSs run out of the box with a very powerful system account. For example, MySQL runs as system on Windows by default! Change the DBMS's OS account to something more appropriate, with restricted privileges.
Multiple DB Users
The designer of web applications should not only avoid using the same owner/admin account in the web applications to connect to the database. Different DB users could be used for different web applications. In general, each separate web application that requires access to the database could have a designated database user account that the web-app will use to connect to the DB. That way, the designer of the application can have good granularity in the access control, thus reducing the privileges as much as possible. Each DB user will then have select access to what it needs only, and write-access as needed.
As an example, a login page requires read access to the username and password fields of a table, but no write access of any form (no insert, update, or delete). However, the sign-up page certainly requires insert privilege to that table; this restriction can only be enforced if these web apps use different DB users to connect to the database.
Views
SQL views can further increase the granularity of access by limiting the read access to specific fields of a table or joins of tables. It could potentially have additional benefits: for example, suppose that the system is required (perhaps due to some specific legal requirements) to store the passwords of the users, instead of salted-hashed passwords. The designer could use views to compensate for this limitation; revoke all access to the table (from all DB users except the owner/admin) and create a view that outputs the hash of the password field and not the field itself. Any SQL injection attack that succeeds in stealing DB information will be restricted to stealing the hash of the passwords (could even be a keyed hash), since no DB user for any of the web applications has access to the table itself.
Java applications using XML libraries are particularly vulnerable to XXE because the default settings for most Java XML parsers is to have XXE enabled. To use these parsers safely, you have to explicitly disable XXE in the parser you use. The following describes how to disable XXE in the most commonly used XML parsers for Java.
A 1.2 XML External Entity (XXE)
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. The following guide provides concise information to prevent this vulnerability. For more information on XXE, please visit XML External Entity (XXE) Processing.
Owasp Sql Injection Prevention Cheat Sheet Download
A 1.2. Best Practices
The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the parser, the method should be similar to the following:factory.setFeature('http://apache.org/xml/features/disallow-doctype-decl', true);Disabling DTDs also makes the parser secure against denial of services (DOS) attacks such as Billion Laughs. If it is not possible to disable DTDs completely, then external entities and external doctypes must be disabled in the way that’s specific to each parser.
Detailed XXE Prevention guidance for a number of languages and commonly used XML parsers in those languages is provided below.
JAXP DocumentBuilderFactory and SAXParserFactory
Both DocumentBuilderFactory and SAXParserFactory XML Parsers can be configured using the same techniques to protect them against XXE. Only the DocumentBuilderFactory example is presented here. The JAXP DocumentBuilderFactory setFeature method allows a developer to control which implementation-specific XML processor features are enabled or disabled. The features can either be set on the factory or the underlying XMLReader setFeature method. Each XML processor implementation has its own features that govern how DTDs and external entities are processed.
For a syntax highlighted code snippet for DocumentBuilderFactory, click here.
Owasp Cheat Sheet Series
For a syntax highlighted code snippet for SAXParserFactory, click here.import javax.xml.parsers.DocumentBuilderFactory;
References:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
A 1.3. ORM Mappers
Owasp Sql Injection Attacks
In most cases, using ORM mapper such as Hibernate will protect you from SQL Injection since all database calls are implemented with prepared statements. In Hibernate, avoid code such as:
Use binding syntax instead:
A 1.4. LDAP Injection
Use positive validation to eliminate all but valid username and other dynamic inputs. The following code is vulnerable to LDAP injection:
Learn More:
Videos:
Basic SQL Injection:
Advanced SQL by Joe McCray: