SQL Injection Analyzer
Configuration Name: SqlInjection
Description
SQL Injection analyzer detects injection attack vulnerabilities in an API by issuing requests that contain SQL attack vectors. An application is vulnerable to injection attacks if it does not properly validate, filter, or sanitize input strings in a request. This can be exploited by an attacker by sending attack vectors in a request. OWASP classifies Injection as #8 in its API Security Top 10 (API8:2019).
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-20 | Improper Input Validation | The application either does not validate input data or incorrectly validates that the input may be processed safely and correctly. | Application should sanitize inputs and respond with a client error for invalid input data. | medium |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | The application does not properly validate or sanitize input data that is used in an database query. | The application should sanitize inputs and respond with a client error for invalid input data. | medium |