401 Reading 39 - marsecguy/reading-notes-cyberops GitHub Wiki

SQL Injection, Identification and Prevention

1. What is SQL injection?

   • Using malicious SQL code to access information that was not intended for release outside the organization.

2. Can you give an example of how a hacker could use SQL injection to gain unauthorized access?

   • While doing what appears to be legitimate interaction with a database online, the attacker can add malicious code onto their response to gain access to parts of the database they aren't intended to access.

3. What are some ways to prevent SQL injection attacks on a web server?

   • Implement input validate (sanitation).
   • Use a web application firewall (WAF)
   • Use web frameworks
   • NoSQL solutions

Sources: Varonis, Imperva, W3 Schools