Vulnerability Details

Severity:

Critical

Category:

Web Application

Description

The application is vulnerable to SQL injection attacks. User-supplied input is incorporated into SQL queries without proper sanitization or parameterization, allowing attackers to manipulate database queries.

Risks

An attacker could bypass authentication, extract sensitive data from the database, modify or delete data, and potentially gain complete control over the database server.

Remediation

Use parameterized queries or prepared statements for all database operations. Implement input validation using allowlists. Apply the principle of least privilege to database accounts. Consider using an ORM that handles parameterization automatically.

References

https://owasp.org/www-community/attacks/SQL_Injection

SQL Injection