CAPEC-66: SQL Injection

Description

This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input.

Extended Description

When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to interact directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database.

Severity :

High

Possibility :

High

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-7: Blind SQL Injection Blind SQL Injection CAPEC-108: Command Line Execution through SQL Injection Command Line Execution through SQL Injection CAPEC-109: Object Relational Mapping Injection Object Relational Mapping Injection CAPEC-110: SQL Injection through SOAP Parameter Tampering SQL Injection through SOAP Parameter Tampering CAPEC-248: Command Injection Command Injection CAPEC-470: Expanding Control over the Operating System from the Database Expanding Control over the Operating System from the Database

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

SQL queries used by the application to store, retrieve or modify data.
User-controllable input that is not properly validated by the application as part of SQL queries.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low It is fairly simple for someone with basic SQL knowledge to perform SQL injection, in general. In certain instances, however, specific knowledge of the database employed may be required.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

WASC | SQL Injection OWASP Attacks | SQL Injection

Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-1286: Improper Validation of Syntactic Correctness of Input

Visit http://capec.mitre.org/ for more details.