Authentication not detected on route with SQL injection vulnerability

Docs > Plateforme de sécurité Datadog > OOTB Rules > Authentication not detected on route with SQL injection vulnerability

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

No authentication was detected for an API that performs SQL queries using user controlled parameters.

An SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application.

In case the API does not sanitize parameters correctly, attackers might interact with the database and steal information.

Rationale

This finding works by identifying an API for which Datadog detected no authentication mechanism and that contains code vulnerabilities permitting full or partial control of database query parameters.

Remediation

Use of SQL prepared statements
Avoid generating SQL queries using user parameters without sanitization
Implement authentication to prevent non-intended users interaction with the database
To improve authentication detection, you can configure custom authentication detection via the Endpoint Tagging Rules settings.