In many cases, these privileges can be managed using appropriate database roles for accounts. For example, if a web site only needs to retrieve web content from a database using SELECT statements, do not give the web site's database connection credentials other privileges such as INSERT, UPDATE, or DELETE privileges.
Utilize the principle of least privilege when provisioning accounts used to connect to the SQL database. Keep all web application software components including libraries, plug-ins, frameworks, web server software, and database server software up to date with the latest security patches available from vendors. OWASP Query Parameterization Cheat SheetĪdditionally, developers, system administrators, and database administrators can take further steps to minimize attacks or the impact of successful attacks:. OWASP SQL Injection Prevention Cheat Sheet. Please consult the following resources for implementing parameterized database queries and preventing SQL Injection in your code base: This can be accomplished in a variety of programming languages including Java. How to protect a web site or application from SQL Injection attacksĭevelopers can prevent SQL Injection vulnerabilities in web applications by utilizing parameterized database queries with bound, typed parameters and careful use of parameterized stored procedures in the database. Attackers "pivoting" by using a compromised database server to attack to other systems on the same network. Elevation of privileges at the application, database, or even operating system level. Theft, modification, or even destruction of sensitive data such as personally identifiable information and usernames and passwords. Once exploited, SQL Injection attacks can lead to: Additionally, because of the prevalence of shared database infrastructure, a SQL Injection flaw in one application can lead to the compromise of other applications sharing the same database instance. 
stealing personally identifiable information which is then used for identity theft).īecause so many modern applications are data-driven and accessible via the web, SQL Injection vulnerabilities are widespread and easily exploited. They use tools that automate the discovery of SQL injection flaws, and attempt to exploit SQL injection primarily for financial gain (e.g. Attackers are constantly probing the Internet at-large and campus web sites for SQL injection vulnerabilities.
0 kommentar(er)
