PagerDuty's Security Training for Engineers

SQL Injection

SQL injection remains a significant concern in software security, despite advancements in frameworks and libraries. Michael Outlaw highlights that while SQL injection has moved from the top spot to third in OWASP's list of vulnerabilities, it still poses a threat due to its simplicity and potential damage 1. Joe Zack warns against manually crafting SQL queries, as it increases the risk of introducing vulnerabilities, especially for less experienced developers 2.

Even if you do everything right, because you're already in this anti-pattern of how to interact with the database, the next person might not be as educated.

--- Joe Zack

Prepared statements and parameterized queries are recommended to mitigate these risks, ensuring that user inputs do not directly modify SQL queries.

   

Injection Techniques

Injection attacks have evolved with techniques like blind injection and time-based approaches, making them harder to detect. Alan Underwood explains that blind injection involves scripts that throw errors based on database responses, while time-based attacks spread out queries to avoid detection 3. These methods allow hackers to patiently extract information over extended periods.

Hackers can be patient, right. Because if they are, the payoff in the end could be absolutely gargantuan.

--- Alan Underwood

To combat these threats, developers should avoid using raw inputs to modify queries and instead rely on parameterization and lookup values 4.