CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Causes

• In 2008, a large number of web servers were compromised using the same SQL injection attack string. This single string worked against many different programs. The SQL injection was then used to modify the web sites to serve malicious code.
• The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user. The query that this code intends to execute follows:,However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string:,for itemName, then the query becomes the following:,The addition of the:,condition causes the WHERE clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:,This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.
• This example examines the effects of a different malicious value passed to the query constructed and executed in the previous example. If an attacker with the user name wiley enters the string:,for itemName, then the query becomes the following two queries:,Many database servers, including Microsoft(R) SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error on Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, on databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database.,Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed. In this case the comment character serves to remove the trailing single-quote left over from the modified query. On a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in the previous example.,If an attacker enters the string,Then the following three valid statements will be created:,One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from an allowlist of safe values or identify and escape a denylist of potentially malicious values. Allowlists can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, denylisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:,[object Object],Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks.,Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they do not protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.,Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks.
• MS SQL has a built in function that enables shell command execution. An SQL injection in such a context could be disastrous. For example, a query of the form: Where $user_input is taken from an untrusted source.,If the user provides the string:,The query will take the following form:,Now, this query can be broken down into:,[object Object],As can be seen, the malicious input changes the semantics of the query into a query, a shell command execution and a comment.
• This code intends to print a message summary given the message ID. The programmer may have skipped any input validation on $id under the assumption that attackers cannot modify the cookie. However, this is easy to do with custom client code or even in the web browser.,While $id is wrapped in single quotes in the call to mysql_query(), an attacker could simply change the incoming mid cookie to:,This would produce the resulting query:,Not only will this retrieve message number 1432, it will retrieve all other messages.,In this case, the programmer could apply a simple modification to the code to eliminate the SQL injection:,However, if this code is intended to support multiple users with different message boxes, the code might also need an access control check (CWE-285) to ensure that the application user has the permission to see that message.
• This example attempts to take a last name provided by a user and enter it into a database. While the programmer applies an allowlist to the user input, it has shortcomings. First of all, the user is still allowed to provide hyphens, which are used as comment structures in SQL. If a user specifies "--" then the remainder of the statement will be treated as a comment, which may bypass security logic. Furthermore, the allowlist permits the apostrophe, which is also a data / command separator in SQL. If a user supplies a name with an apostrophe, they may be able to alter the structure of the whole statement and even change control flow of the program, possibly accessing or modifying confidential information. In this situation, both the hyphen and apostrophe are legitimate characters for a last name and permitting them is required. Instead, a programmer may want to use a prepared statement or apply an encoding routine to the input to prevent any data / directive misinterpretations.

Remediation

• Architecture and Design: [object Object]
• Architecture and Design,Operation: [object Object]
• Architecture and Design: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
• Implementation: [object Object]
• Architecture and Design: When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
• Operation: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481.
• Operation,Implementation: When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Detection

• Automated Static Analysis: [object Object]
• Automated Dynamic Analysis: This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
• Manual Analysis: Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.
• Automated Static Analysis - Binary or Bytecode: [object Object]
• Dynamic Analysis with Automated Results Interpretation: [object Object]
• Dynamic Analysis with Manual Results Interpretation: [object Object]
• Manual Static Analysis - Source Code: [object Object]
• Automated Static Analysis - Source Code: [object Object]

Related CWEs

• CWE-456: Missing Initialization of a Variable
• CWE-564: SQL Injection: Hibernate
• CWE-564: SQL Injection: Hibernate
• CWE-564: SQL Injection: Hibernate
• CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
• CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.