Security Test: SQL Injection¶

Description¶

Default Severity:

SQL injection happens when an application builds SQL queries using untrusted user input without proper checks, letting attackers sneak in their own commands. This flaw can let criminals read or change your data, shut down the database, or even gain control over your system. It usually occurs when developers put user input directly into queries without using safer methods like parameterized queries, leaving the door open for malicious manipulation. Ignoring proper input handling can lead to severe data breaches and system compromises, so it's crucial to always validate, sanitize, or use prepared queries for any user-supplied data.

Reference:

https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Configuration¶

Identifier: injection/sql

Examples¶

All configuration available:

checks:
  injection/sql:
    skip: false # default
    options:
      skip_objects: # cf. Options below

Options¶

Options can be set in the options key of the Security Test Configuration.

Property	Type	Default	Description
`skip_objects`	`List[string]`		List of object that are to be skipped by the security test.

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API9:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.1`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-7`
CWE	`89`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C`
CVSS Score	`8.7`