From aldeid
Jump to navigation Jump to search

CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')


SQL injections is very widespread on the internet. This is also a very well documented attack on the Internet, and it is easy to find tools that automate this attack without having to know exactly how it works.

An SQL injection consists of sending arbitrary code in form inputs to modify the normal behavior of the application. It is used by attackers to bypass authentication, concatenate SQL queries to steal data, erase data from the database, ...


Risk measurement

Weakness Prevalence High
Remediation Cost Low
Attack Frequency Often
Consequences Data loss, Security bypass
Ease of Detection Easy
Attacker Awareness High