Title

The API must use parameterized queries. (Cat II impact)

Discussion

A common vulnerability of applications is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state. The behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.

Check Content

Review the API's source code or backend database interaction layer. Identify all database queries constructed using user-supplied input. Verify that parameterized queries (also known as prepared statements) are used instead of dynamically constructed SQL strings with input concatenation. Confirm that query parameters are bound using the appropriate method for the language or database framework (e.g., ?, named parameters, or bind variables). If any queries use string concatenation or interpolation of user input without parameterization, this is a finding.

Fix Text

Follow best practice when accepting user input and verify all input is validated before the API processes the input. Remediate identified vulnerabilities and obtain documented risk acceptance for those issues that cannot be remediated immediately.

Additional Identifiers

Rule ID: SV-274714r1143751_rule

Vulnerability ID: V-274714

Group Title: SRG-APP-000447

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.