Skip to content

Injection: SQL Injection

Identifier: sql

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

SQL injection vulnerabilities occur when applications build SQL queries using untrusted user input without proper validation, allowing attackers to inject malicious SQL commands that can read or modify data, shut down the database, or gain system control.

How we test: We inject SQL injection payloads into request parameters and analyze responses to detect if SQL queries are executed. We test for various SQL injection techniques including union-based, error-based, blind, and time-based attacks, and check if user input is properly sanitized before being used in database queries.

Execution conditions (BLST):

  • Runs when this test is enabled and the request includes at least one argument.
  • Active SQL fuzzing runs only when baseline coverage is OK, EMPTY_RESPONSE, or VALIDATION_ERROR, and the baseline is not a 50x exchange.
  • Otherwise, the check performs passive SQL error-leakage detection on the current response.

Configuration

Example

Example configuration:

---
security_tests:
  sql:
    dedupe_query_params_by_name: true
    skip: false

Reference

dedupe_query_params_by_name

Type : boolean

When true, deduplicate fuzzing by parameter name across URLs. The same query param will be fuzzed only once across all URLs.

skip

Type : boolean

Skip the test if true.