Authentication not detected on route with SQL injection vulnerability

문서 > Datadog 보안 > OOTB Rules > Authentication not detected on route with SQL injection vulnerability

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

No authentication was detected for an API that performs SQL queries using user controlled parameters.

An SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application.

In case the API does not sanitize parameters correctly, attackers might interact with the database and steal information.

Rationale

This finding works by identifying an API for which Datadog detected no authentication mechanism and that contains code vulnerabilities permitting full or partial control of database query parameters.

Remediation

Use of SQL prepared statements
Avoid generating SQL queries using user parameters without sanitization
Implement authentication to prevent non-intended users interaction with the database
To improve authentication detection, you can configure custom authentication detection via the Endpoint Tagging Rules settings.