Second Order SQL Injection Explanation and Remedy
Netsparker identified a possible second order SQL injection, which occurs when data input is stored and then used in a different SQL query without correct filtering or without using parameterized queries.
Even though Netsparker believes there is a second order SQL injection in here, it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure it is an SQL injection and that it needs to be addressed.
Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
- Reading, updating and deleting arbitrary data/tables from the database
- Executing commands on the underlying operating system
Actions to Take
- See the remedy for solution.
- If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL injection based problems.
- Locate all of the dynamically generated SQL queries and convert them to parameterized queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries.)
- Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.
A very robust method for mitigating the threat of SQL injection-based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built-in libraries for this. Wherever possible, do not create dynamic SQL queries or SQL queries with string concatenation.
Required Skills for Successful Exploitation
There are numerous freely available tools to test for SQL injection vulnerabilities. This is a complex area with many dependencies; however, it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL injection is one of the most common web application vulnerabilities.