Use parameterized queries
Summary
The system must use parameterized queries or stored procedures to create dynamic sentences (e.g., java.sql.PreparedStatement).
Description
empty
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-7. Blind SQL injection
- CAPEC™-248. Command injection
- CWE™-89. Improper neutralization of special elements used in an SQL command ("SQL injection")
- CWE™-130. Buffer copy without checking size of input ("classic buffer overflow")
- CWE™-598. Use of GET request method with sensitive query strings
- OWASP TOP 10-A3. Injection
- Agile Alliance-9. Continuous attention to technical excellence and good design
- BIZEC-APP-APP-02. OS command injection
- BIZEC-APP-APP-06. Direct database modifications
- BIZEC-APP-APP-08. Open SQL injection
- CERT-J-IDS00-J. Prevent SQL injection
- MITRE ATT&CK®-M1013. Application developer guidance
- PA-DSS-5_2_1. Injection flaws, particularly SQL injection
- SANS 25-3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- WASSEC-5_5. Extraction of dynamic content
- WASSEC-6_2_4_4. Command execution - SQL injection
- WASC-A_19. SQL injection
- WASC-W_20. Improper input handling
- ISSAF-T_6_6. Web application assessment - Identifying web server vendor and version (by error)
- ISSAF-T_17. Web application assessment - Test SQL injection
- ISSAF-U_15. Web application SQL injections – Countermeasures
- PTES-5_2_3_1. Vulnerability analysis - Web application scanners (application flaw scanners)
- PTES-7_4_2_3. Post exploitation - Pillaging (database servers)
- OWASP SCP-11. Database security
- CWE TOP 25-89. Improper neutralization of special elements used in an SQL command (SQL injection)
- OWASP ASVS-5_3_4. Output encoding and injection prevention
- PCI DSS-6_2_4. Software engineering techniques to prevent or mitigate common software attacks
- OWASP ASVS-5_3_5. Output encoding and injection prevention
- OWASP API Security Top 10-API8. Injection
- CASA-5_3_4. Output Encoding and Injection Prevention
Vulnerabilities
- 001. SQL injection - C Sharp SQL API
- 012. SQL injection - Java Persistence API
- 105. Apache lucene query injection
- 106. NoSQL injection
- 112. SQL injection - Java SQL API
- 146. SQL injection
- 154. Time-based SQL Injection
- 155. SQL Injection - Headers
- 297. SQL injection - Code
- 438. Error-based SQL Injection
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.