CWE-89 Details

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Hoch
Stable
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Allgemeine Informationen

Einführungsmodi

Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Implementation : This weakness typically appears in data-rich applications that save user inputs in a database.

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)
Name: SQL (Often)

Technologien

Name: Database Server (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
Confidentiality
Integrity
Availability		Execute Unauthorized Code or Commands

Note: Adversaries could execute system commands, typically by changing the SQL statement to redirect output to a file that can then be executed.
ConfidentialityRead Application Data

Note: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities.
AuthenticationGain Privileges or Assume Identity, Bypass Protection Mechanism

Note: If poor SQL commands are used to check user names and passwords or perform other kinds of authentication, it may be possible to connect to the product as another user with no previous knowledge of the password.
Access ControlBypass Protection Mechanism

Note: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.
IntegrityModify Application Data

Note: Just as it may be possible to read sensitive information, it is also possible to modify or even delete this information with a SQL injection attack.

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2024-6847

SQL injection in AI chatbot via a conversation message

CVE-2025-26794

SQL injection in e-mail agent through SQLite integration

CVE-2023-32530

SQL injection in security product dashboard using crafted certificate fields

CVE-2021-42258

SQL injection in time and billing software, as exploited in the wild per CISA KEV.

CVE-2021-27101

SQL injection in file-transfer system via a crafted Host header, as exploited in the wild per CISA KEV.

CVE-2020-12271

SQL injection in firewall product's admin interface or user portal, as exploited in the wild per CISA KEV.

CVE-2019-3792

An automation system written in Go contains an API that is vulnerable to SQL injection allowing the attacker to read privileged data.

CVE-2004-0366

chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass.

CVE-2008-2790

SQL injection through an ID that was supposed to be numeric.

CVE-2008-2223

SQL injection through an ID that was supposed to be numeric.

CVE-2007-6602

SQL injection via user name.

CVE-2008-5817

SQL injection via user name or password fields.

CVE-2003-0377

SQL injection in security product, using a crafted group name.

CVE-2008-2380

SQL injection in authentication library.

CVE-2017-11508

SQL injection in vulnerability management and reporting tool, using a crafted password.

Mögliche Gegenmaßnahmen

Phases : Architecture and Design
Phases : Architecture and Design
Phases : Architecture and Design // Operation
Phases : Architecture and Design
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phases : Implementation
Phases : Implementation
Phases : Architecture and Design
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
Phases : Implementation
Phases : Operation
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481.
Phases : Operation // Implementation
When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

Erkennungsmethoden

Automated Static Analysis

Automated Dynamic Analysis

This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Wirksamkeit : Moderate

Manual Analysis

Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.

Automated Static Analysis - Binary or Bytecode

Wirksamkeit : High

Dynamic Analysis with Automated Results Interpretation

Wirksamkeit : High

Dynamic Analysis with Manual Results Interpretation

Wirksamkeit : SOAR Partial

Manual Static Analysis - Source Code

Wirksamkeit : High

Automated Static Analysis - Source Code

Wirksamkeit : High

Architecture or Design Review

Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Verwandte Angriffsmuster

CAPEC-ID Name des Angriffsmusters
CAPEC-108 Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
CAPEC-109 Object Relational Mapping Injection
An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
CAPEC-110 SQL Injection through SOAP Parameter Tampering
An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
CAPEC-470 Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
CAPEC-66 SQL Injection
This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input.
CAPEC-7 Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.

Hinweise

SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be primary to authentication errors.

Referenzen

REF-1460

NT Web Technology Vulnerabilities
rain.forest.puppy.
https://phrack.org/issues/54/8

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-867

SQL Injection Prevention Cheat Sheet
OWASP.
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

REF-868

SQL Injection Attacks by Example
Steven Friedl.
http://www.unixwiz.net/techtips/sql-injection.html

REF-869

SQL Injection Cheat Sheet
Ferruh Mavituna.
https://web.archive.org/web/20080126180244/http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

REF-870

The Database Hacker's Handbook: Defending Database Servers
David Litchfield, Chris Anley, John Heasman, Bill Grindlay.

REF-871

The Oracle Hacker's Handbook: Hacking and Defending Oracle
David Litchfield.

REF-872

SQL Injection
Microsoft.
https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms161953(v=sql.105)?redirectedfrom=MSDN

REF-873

SQL Injection Attack
Microsoft Security Vulnerability Research & Defense.
https://msrc.microsoft.com/blog/2008/05/sql-injection-attack/

REF-874

Giving SQL Injection the Respect it Deserves
Michael Howard.
https://learn.microsoft.com/en-us/archive/blogs/michael_howard/giving-sql-injection-the-respect-it-deserves

REF-875

Top 25 Series - Rank 2 - SQL Injection
Frank Kim.
https://www.sans.org/blog/top-25-series-rank-2-sql-injection/

REF-76

Least Privilege
Sean Barnum, Michael Gegick.
https://web.archive.org/web/20211209014121/https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-962

Automated Source Code Security Measure (ASCSM)
Object Management Group (OMG).
http://www.omg.org/spec/ASCSM/1.0/

REF-1447

Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software
Cybersecurity and Infrastructure Security Agency.
https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-sql-injection-vulnerabilities-software

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

REF-1481

D3FEND: Application Layer Firewall
D3FEND.
https://d3fend.mitre.org/dao/artifact/d3f:ApplicationLayerFirewall/

REF-1482

D3FEND: D3-TL Trusted Library
D3FEND.
https://d3fend.mitre.org/technique/d3f:TrustedLibrary/

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
PLOVER 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Änderungen

Name Organisation Datum Kommentar
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Modes_of_Introduction, Name, Relationships, Other_Notes, Relationship_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Description
CWE Content Team MITRE 2008-11-24 +00:00 updated Observed_Examples
CWE Content Team MITRE 2009-01-12 +00:00 updated Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2009-03-10 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2009-05-27 +00:00 updated Demonstrative_Examples, Name, Related_Attack_Patterns
KDM Analytics 2009-07-17 +00:00 Improved the White_Box_Definition
CWE Content Team MITRE 2009-07-27 +00:00 updated Description, Name, White_Box_Definitions
CWE Content Team MITRE 2009-12-28 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2010-02-16 +00:00 updated Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2010-04-05 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2010-06-21 +00:00 updated Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2010-09-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2011-03-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2011-06-27 +00:00 updated Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2012-05-11 +00:00 updated Potential_Mitigations, References, Related_Attack_Patterns, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-07-17 +00:00 updated Relationships
CWE Content Team MITRE 2014-06-23 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Relationships
CWE Content Team MITRE 2017-05-03 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, Observed_Examples, References, Relationships, White_Box_Definitions
CWE Content Team MITRE 2018-03-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2019-09-19 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Potential_Mitigations, Relationships, Time_of_Introduction
CWE Content Team MITRE 2020-06-25 +00:00 updated Demonstrative_Examples, Potential_Mitigations, Relationship_Notes
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2021-07-20 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-06-28 +00:00 updated Observed_Examples, Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Observed_Examples, References
CWE Content Team MITRE 2023-01-31 +00:00 updated Demonstrative_Examples, Description
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2024-02-29 +00:00 updated Demonstrative_Examples, Observed_Examples
CWE Content Team MITRE 2024-07-16 +00:00 updated Alternate_Terms, Common_Consequences, Description, Diagram, References
CWE Content Team MITRE 2024-11-19 +00:00 updated Relationships
CWE Content Team MITRE 2025-04-03 +00:00 updated Applicable_Platforms, Demonstrative_Examples, References
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, Potential_Mitigations, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Observed_Examples, Relationships, Weakness_Ordinalities
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.