Details
Alert ID 40018
Alert Type Active
Status release
Risk High
CWE 89
WASC 19
Technologies Targeted Db / Firebird
Db / HypersonicSQL
Db / IBM DB2
Db / MariaDB
Db / Microsoft Access
Db / Microsoft SQL Server
Db / MySQL
Db / Oracle
Db / PostgreSQL
Db / SAP MaxDB
Db / SQLite
Db / Sybase
Tags OWASP_2017_A01
OWASP_2021_A03
POLICY_API
POLICY_DEV_CICD
POLICY_DEV_FULL
POLICY_DEV_STD
POLICY_QA_FULL
POLICY_QA_STD
POLICY_SEQUENCE
WSTG-V42-INPV-05
More Info Scan Rule Help

Summary

SQL injection may be possible.

Solution

Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side. If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?' If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries. If database Stored Procedures can be used, use them. Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality! Do not create dynamic SQL queries using simple string concatenation. Escape all data received from the client. Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input. Apply the principle of least privilege by using the least privileged database user possible. In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact. Grant the minimum database access that is necessary for the application.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrules/SqlInjectionScanRule.java