Unauthenticated route with SQL injection vulnerability

문서 > Datadog 보안 > OOTB Rules > Unauthenticated route with SQL injection vulnerability

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Unauthenticated users have access to an API that’s performing SQL queries using user controlled parameters.

An SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application.

In case the API does not sanitize parameters correctly, attackers might interact with the database and steal information.

Rationale

This finding works by identifying an API that lacks an authentication mechanism and contains code vulnerabilities permitting full or partial control of database query parameters.

Remediation

Use of SQL prepared statements
Avoid generating SQL queries using user parameters without sanitization
Implement authentication to prevent non-intended users interaction with the database