6.1 Ensure Database and Application User Input is Sanitized

Information

Always validate user input received from a database client or application by testing type, length, format, and range prior to transmitting it to the database server.

Rationale:

Sanitizing user input drastically minimizes risk of SQL injection.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The following steps can be taken to remediate SQL injection vulnerabilities:

Review TSQL and application code for SQL Injection

Only permit minimally privileged accounts to send user input to the server

Minimize the risk of SQL injection attack by using parameterized commands and stored procedures

Reject user input containing binary data, escape sequences, and comment characters

Always validate user input and do not use it directly to build SQL statements

Impact:

Sanitize user input may require changes to application code or database object syntax. These changes can require applications or databases to be taken temporarily off-line. Any change to TSQL or application code should be thoroughly tested in testing environment before production implementation.

References:

https://owasp.org/www-community/attacks/SQL_Injection

https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2008/ms161953(v=sql.100)

https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms161953(v=sql.105)

See Also

https://workbench.cisecurity.org/files/2834

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-9, CSCv6|18.3, CSCv7|18.2

Plugin: MS_SQLDB

Control ID: 3e43e895bbc0476b454ebaf93006612bebaecce0f8175718abbffc9d3e8a7ab7