An error occurred:

Check: APSC-DV-002540

Application Security and Development STIG: APSC-DV-002540 (in versions v5 r3 through v4 r2)

Title

The application must not be vulnerable to SQL Injection. (Cat I impact)

Discussion

SQL Injection is a code injection attack against database applications. Malicious SQL statements are inserted into an application data entry field where they are submitted to the database and executed. This is a direct result of not validating input that is used by the application to perform a command or execute an action. Successful attacks can read data, write data, execute administrative functions within the database, shutdown the DBMS, and in some cases execute OS commands. Best practices to reduce the potential for SQL Injection vulnerabilities include: Not using concatenation or replacement to build SQL queries. Using prepared statements with parameterized queries that have been tested and validated not to be vulnerable to SQL Injection. Using stored procedures that have been tested and validated not to be vulnerable to SQL Injection. Escaping all user supplied input. Additional steps to prevent SQL Injection can be found at the OWASP website: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Check Content

Review the application documentation and interview the application administrator. Request the latest vulnerability scan test results. Verify the scan configuration is configured to test for SQL injection flaws. Review the scan results to determine if any SQL injection flaws were detected during application testing. If SQL injection flaws were discovered, request a subsequent scan that will show that the issues have been remediated. If the scan results are not available, identify the database product in use and refer to the OWASP web application testing guide for detailed instructions on performing a manual SQL injection test. The instructions are located here and many tests are organized by database product: https://www.owasp.org/index.php/Testing_for_SQL_Injection_%28OTG-INPVAL-005%29 If the application is vulnerable to SQL injection attack, contains SQL injection flaws, or if scan results do not exist, this is a finding.

Fix Text

Modify the application and remove SQL injection vulnerabilities.

Additional Identifiers

Rule ID: SV-222607r879652_rule

Vulnerability ID: V-222607

Group Title: SRG-APP-000251

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001310

The information system checks the validity of organization-defined inputs.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-10

Information Input Validation