Applying protection for SQL Injection attack -general query

Not applicable

I have a general query on applying protection for SQL Injection attack in API proxy design.Please throw some light on this.

As per the sample video in http://docs.apigee.com/api-services/reference/regular-expression-protection,the sqlinjection is protected for query parameter "query=select".

So,as SQL injection attack prevention policy is ,for backend system which uses database(correct me if I am wrong) ,query=select is appropriate as this one seems to be generating some sql statement and "query" is an action/verb.

But in a requirement where a query parameter is like /fruit?name=orange :

If I fit in /fruit?name=delete ,does not seem to be appropriate in generating an sql statement.So,whether this kind of API can also be impacted with SQL injection attack?

Solved Solved
0 2 770
1 ACCEPTED SOLUTION

ok lets start with, what is SQL injection attack

It is a technique in which an attacker presents a 'malicious SQL query' to an application's input parameter.

This becomes an attack/problem - when the application does not screen the input for validity and directly uses it for a query to DB

for example, - lets say, you have an API

/fruit?name=<fruitname>

and your application logic to execute query is this

"select * from fruits where fruitname =" + queryparam.name + ";"

Now an attacker may try to pass the query parameter

/fruit?name=mango;drop table fruits

so, when your application constructs its query it becomes

select * where from fruits where fruitname = mango;drop table fruits;

then your app becomes a victim of SQL Injection attack

so filter, sanitize any parameters that will be used as input for your query

This can be easily accomplished by looking for some regex patterns, as explained in the doc and video here

To answer your question -

If you have any parameter [query or header or path or a variable in your payload] you think that might be used as input to construct a sql query - there is a chance that you might be impacted by SQL injection attack - its better to sanitize that parameter at the API layer

Again, just for completeness, this is just a solution to handle at the API layer, there are other solutions that helps prevent this attack at various levels/tiers - ui, app or db

Thanks,

View solution in original post

2 REPLIES 2

ok lets start with, what is SQL injection attack

It is a technique in which an attacker presents a 'malicious SQL query' to an application's input parameter.

This becomes an attack/problem - when the application does not screen the input for validity and directly uses it for a query to DB

for example, - lets say, you have an API

/fruit?name=<fruitname>

and your application logic to execute query is this

"select * from fruits where fruitname =" + queryparam.name + ";"

Now an attacker may try to pass the query parameter

/fruit?name=mango;drop table fruits

so, when your application constructs its query it becomes

select * where from fruits where fruitname = mango;drop table fruits;

then your app becomes a victim of SQL Injection attack

so filter, sanitize any parameters that will be used as input for your query

This can be easily accomplished by looking for some regex patterns, as explained in the doc and video here

To answer your question -

If you have any parameter [query or header or path or a variable in your payload] you think that might be used as input to construct a sql query - there is a chance that you might be impacted by SQL injection attack - its better to sanitize that parameter at the API layer

Again, just for completeness, this is just a solution to handle at the API layer, there are other solutions that helps prevent this attack at various levels/tiers - ui, app or db

Thanks,

Thanks for clear explanation..This helps..