{"id":2923,"date":"2024-04-03T14:58:52","date_gmt":"2024-04-03T19:58:52","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/tools-and-techniques-to-tame-sql-injection"},"modified":"2024-04-03T14:58:52","modified_gmt":"2024-04-03T19:58:52","slug":"how-to-tame-sql-injection","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/03\/how-to-tame-sql-injection\/","title":{"rendered":"How to Tame SQL injection"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

For more than a decade, injection vulnerabilities have literally topped the charts of critically dangerous software flaws, deemed more serious than all other types of vulnerabilities in the 2010, 2013, and 2017 Top-10 lists maintained by the Open Web Application Security Project.<\/span><\/p>\n

Still, the warnings have failed to weed out the issues. Last year, the Cl0p group stole data from companies using a previously unknown SQL injection vulnerability in MoveIT’s file-transfer application. In late March, the Cybersecurity and Infrastructure Security Agency (CISA) called for companies to redouble their efforts to eliminate the security issue, which application-security experts consider <\/span>one of 13 different ‘unforgivable’ classes of vulnerabilities<\/a><\/span> that programmers should catch during development.<\/span><\/p>\n

“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,” the agency stated in its March 25 advisory. “Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007.”<\/span><\/p>\n

The root of injection vulnerabilities is a lack of input sanitization, when the application receives variable input, there\u2019s always the risk of that input being tainted, says Randall Degges, head of developer relations at application-security firm Snyk.<\/span><\/p>\n

“Although this has been an issue since programming existed, the reason it\u2019s still in the top-10 vulnerabilities after all this time is because there are an infinite number of ways to use input and often time sanitizing input is tricky,” he says.<\/span><\/p>\n

For software developers looking to nix this particular issue, here’s how.<\/span><\/p>\n

1. Educate Yourself and Others<\/h2>\n

The first step is always education. OWASP has <\/span>a cheat sheet on SQL injection<\/a><\/span>, how to detect the vulnerability, and ways of creating safe code. Some web-application frameworks aim to educate developers while they are programming, using APIs names to make the risk of some functions clear, such as React’s <\/span>‘dangerouslySetInnerHTML’<\/span><\/span> function, says James Kettle, director of research at PortSwigger, an application-security testing firm.<\/span><\/p>\n

In addition, developers should not necessarily trust the makers of open-source software \u2014 especially components that have not been well vetted \u2014 to use safe code, and online tutorials are often unsafe as well, he says.<\/span><\/p>\n

“I think the core issue is that there’s a lot of unsafe APIs, where anyone using the API is vulnerable by default,” Kettle says. “Even when there are more modern secure APIs available, fresh code is written using the unsafe versions thanks to old unsafe examples in StackOverflow .”<\/span><\/p>\n

2. Harden the DevOps Pipeline Using Automated Tools<\/h2>\n

Developers should implement unit tests to check code for SQL injection flaws \u2014 and other common security issues \u2014 during development, add static application security testing both prior to and after commits, and include scans for SQL injection as part of dynamic application security testing.<\/span><\/p>\n

Unit tests can be added using frameworks such as <\/span>tSQLt<\/a><\/span> for testing Microsoft SQL Server, <\/span>pgTAP<\/a><\/span> for testing applications that use PostgreSQL, and <\/span>Pytest and SQLAlchemy<\/a><\/span> for unit testing in Python programs. A variety of <\/span>SQL unit testing best practices<\/a><\/span> should be followed to make the tests more useful, such as isolating the SQL tests from dependencies and descriptive naming of the tests.<\/span><\/p>\n

In addition to automated tests in the development pipeline, developers should make sure to use SQL frameworks, such as SQLAlchemy, because many security improvements are already baked in, says Snyk’s Degges.<\/span><\/p>\n

“Pretty much all modern SQL frameworks and tools provide convenience methods to help with this nowadays, so your best bet is to thoroughly read through the relevant framework documentation to ensure you\u2019re using it correctly when building queries,” he says.<\/span><\/p>\n

3. Play Around with SQLMap<\/h2>\n

The <\/span>open-source program SQLMap<\/a><\/span> is a great tool for penetration testers to experiment with SQL injection, exploit any potential vulnerabilities, and dump a database to prove that the vulnerability can be exploited. The tool can also educate application developers to the true dangers of SQL injection and how vulnerable code can be exploited.<\/span><\/p>\n

However, the tool is not necessarily the best way to scan for potential vulnerabilities, says Portswigger’s Kettle.<\/span><\/p>\n

“In my experience the detection capabilities are slow, heavyweight, and prone to false positives,” Kettle says. “Also, it can’t explore websites to find attack surface, which is one of the biggest challenges for finding these vulnerabilities automatically.”<\/span><\/p>\n

4. Consider a DAST Service<\/h2>\n

Automating SQL injection scanning using Dynamic Application Security Testing (DAST) as part of the quality assurance stage \u2014 and even earlier in the DevOps pipeline, if possible \u2014 can help catch any overlooked vulnerabilities. In addition, DAST scanning is a good way to find SQL injection in legacy code.<\/span><\/p>\n

While web application firewalls (WAFs) can prevent SQL injection attacks from reaching an application, they should only be used as part of a defense-in-depth strategy and not relied upon, says Kettle.<\/span><\/p>\n

“Personally, I’ve seen runtime protection like WAFs bypassed so many times that I don’t have much confidence in them,” he says. “I would recommend a bug bounty program as an effective way to surface undetected vulnerabilities instead, and use WAFs as a last resort for systems that are in such a bad state that known vulnerabilities can’t be patched.”<\/span><\/p>\n

5. Expand Beyond SQL<\/h2>\n

Finally, companies should also look for other types of injection vulnerabilities and make sure their developers recognize risky patterns, as SQL injection is only one class of injection vulnerabilities.<\/span><\/p>\n

OWASP broaden the definition of an injection vulnerability to be any software flaw where user-supplied data is not validated or sanitized by an application and then sent to an interpreter. Cross-site scripting, SQL, operating-systems scripting, and parsing the Lightweight Directory Access Protocol (LDAP) are all areas that can be vulnerable to injection.<\/span><\/p>\n

With the advent of AI models, for instance, prompt injection is the latest form of an injection attack.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

For more than a decade, injection vulnerabilities have literally topped<\/p>\n","protected":false},"author":12,"featured_media":2924,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2923","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?fit=1600%2C900&ssl=1",1600,900,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?fit=1600%2C900&ssl=1",1600,900,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/how-to-tame-sql-injection.jpg?fit=1600%2C900&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2923"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2923\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2924"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}