White Paper

Documented standards for secure product development

A downloadable Security Handbook to document our best practices

Download white paper

1. Injection

Untrusted data is sent as part of a command or query.

What it is

Websites and apps occasionally run commands on the underlying database or operating system to add or delete data, execute a script, or start other apps. If unverified, inputs are added to a command string or a database command. As a result, attackers can launch commands at will to take control of a server, device, or data.

How it works

If a website, app, or device incorporates a user input within a command, an attacker can insert a “ command directly into the corresponding input. If that input is not verified, an attacker then uses “ and runs their commands freely.

Why it’s bad

Once attackers gain access to make commands, they can control your website, apps, and data.

Countermeasures

  • Avoid string interpretation. Use well-known ORMs or APIs to retrieve data.

  • Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.

  • Use a positive or allow list " server-side input validation (e.g., allow only some HTML tags in a custom WYSIWYG editor and strip down everything else).

  • For any dynamic queries, remove special characters using specific syntax for the interpreter. Avoid dynamic queries. Instead, use ORMs.

SQLi injection example

The hacker uses SQLi injection to exploit a non-validated input on a web form or http get where the query parameters are exposed on the URI that can be used to perform malicious activity.

CODE SNIPPET

String query = “SELET * FROM accounts WHERE custID=" + request.getParameter(“id”);

Example A1:

https://www.example.com/app/accountView?id=1

SELECT * FROM accounts WHERE custID =‘1’

Example B1:

https://www.example.com/app/accountView?id=1;DROP TABLE USERS

SELECT * FROM accounts WHERE custID =‘1’;DROP TABLE USERS

Example A1 showcases good tactics.

The URL and query are used to bring back results data based on the customer ID being ‘1’ or what the user enters in the form on the web page. The result is an account view for a customer ID of 1.

Example B1 exhibits poor tactics.

The URL query parameter drops a table because the form data or URL query parameters are not validated prior to sending to the database. A secondary SQL command is added to “DROP TABLE FROM USERS’ by appending a semicolon and a SQL command to the .

Continue to:2. Broken authentication