Improper Neutralization of Special Elements used in an SQL Command
User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history.
Prevalência
Very Common
OWASP Top 10 since 2010
Impacto
Critical
Data breach, auth bypass, RCE
Prevenção
Well understood
Parameterized queries
2 Prevenção
2 Prevenção
Como corrigir esta vulnerabilidade
Estratégias de prevenção para SQL Injection baseadas em 7 regras de detecção do Shoulder.
SQL Injection via Database Queries
CRITICAL
Use parameterized queries with $1 (PostgreSQL) or ? (MySQL/SQLite) placeholders
func getUser(w http.ResponseWriter, r *http.Request) { userID := r.URL.Query().Get("id") - query := "SELECT * FROM users WHERE id = " + userID - rows, err := db.Query(query) + rows, err := db.Query("SELECT * FROM users WHERE id = $1", userID) // ... }
JavaScript
Ver tudo JavaScript detalhes →
SQL Injection via Database Queries
CRITICAL
Use parameterized queries with placeholder syntax
- const query = `SELECT * FROM users WHERE id = '${req.params.id}'`; - await db.query(query); + const query = 'SELECT * FROM users WHERE id = $1'; + await db.query(query, [req.params.id]);
Prisma Raw Query SQL Injection
CRITICAL
Use Prisma.sql tagged template for parameterized raw queries instead of regular template literals
- import { PrismaClient } from '@prisma/client'; - const prisma = new PrismaClient(); - - app.get('/api/users/search', async (req, res) => { - const { name } = req.query; - const users = await prisma.$queryRaw` - SELECT * FROM "User" WHERE name LIKE '%${name}%' - `; - res.json(users); - }); - // Attacker sends: name=' OR 1=1 -- + import { PrismaClient, Prisma } from '@prisma/client'; + const prisma = new PrismaClient(); + + app.get('/api/users/search', async (req, res) => { + const { name } = req.query; + const users = await prisma.$queryRaw( + Prisma.sql`SELECT * FROM "User" WHERE name LIKE ${`%${name}%`}` + ); + res.json(users); + });
TypeORM SQL Injection in Raw Query
CRITICAL
Use parameterized queries with positional (?) or named (:param) placeholders instead of string interpolation
import { getManager } from 'typeorm'; app.get('/api/users/search', async (req, res) => { const { name, role } = req.query; const manager = getManager(); const users = await manager.query( - `SELECT * FROM users WHERE name = '${name}' AND role = '${role}'` - ); - res.json(users); - }); - // Attacker sends: name=' OR '1'='1' -- + 'SELECT * FROM users WHERE name = $1 AND role = $2', + [name, role] + ); + res.json(users); + });
Python
Ver tudo Python detalhes →
GraphQL Injection / Unsafe Query Construction
HIGH
Use parameterized GraphQL queries with variables instead of string formatting
from flask import request import graphene @app.route('/graphql', methods=['POST']) def graphql_endpoint(): - user_id = request.json.get('id') - query = f'{{ user(id: "{user_id}") {{ name email }} }}' - result = schema.execute(query) + query = request.json.get('query') + variables = request.json.get('variables', {}) + result = schema.execute(query, variables=variables) return jsonify(result.data)
3 Detecção
3 Detecção
Encontre vulnerabilidades no seu código
Use o Shoulder para escanear seu código em busca de padrões SQL Injection. 7 regras.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=89 # Or scan entire project npx @shoulderdev/cli trust .
Regras de Detecção (7)
🟨
Javascript
4 rules
SQL Injection via Database Queries
CRITICAL
Detects user input flowing into SQL queries without parameterization.
Prisma Raw Query SQL Injection
CRITICAL
Using template literals instead of Prisma.sql`` in $queryRaw bypasses
parameter binding and enables SQL injection.
TypeORM SQL Injection in Raw Query
CRITICAL
Raw SQL queries with string concatenation or template literals bypass TypeORM's
parameterization, enabling SQL injection attacks.
TypeORM Query Builder SQL Injection
CRITICAL
QueryBuilder where clauses with template literals or concatenation bypass
parameter binding, enabling SQL injection.
🔷
Typescript
4 rules
SQL Injection via Database Queries
CRITICAL
Detects user input flowing into SQL queries without parameterization.
Prisma Raw Query SQL Injection
CRITICAL
Using template literals instead of Prisma.sql`` in $queryRaw bypasses
parameter binding and enables SQL injection.
TypeORM SQL Injection in Raw Query
CRITICAL
Raw SQL queries with string concatenation or template literals bypass TypeORM's
parameterization, enabling SQL injection attacks.
TypeORM Query Builder SQL Injection
CRITICAL
QueryBuilder where clauses with template literals or concatenation bypass
parameter binding, enabling SQL injection.
🐍
Python
2 rules
GraphQL Injection / Unsafe Query Construction
HIGH
Detects unsafe GraphQL query construction with user input, missing query depth
limiting, or disabled introspection in production. These can lead to injection
attacks, DoS via deeply nested queries, or information disclosure.
SQL Injection via Database Queries
CRITICAL
Detects untrusted user input flowing into SQL database queries without proper
parameterization.
4 Sinais de Alerta
4 Sinais de Alerta
O que observar nas revisões de código
Estes padrões indicam vulnerabilidades potenciais de SQL Injection. Procure-os durante revisões de código e auditorias de segurança.
unsafe GraphQL query construction with user input, missing query depth
limiting, or disabled introsp
python-graphql-injection
user input flowing to SQL queries without parameterization
go-sql-injection
user input flowing into SQL queries without parameterization
javascript-sql-injection
Raw SQL query uses untrusted input without proper parameterization. Use Prisma.sql`` template tag for safe parameter bin
prisma-raw-query-injection
untrusted user input flowing into SQL database queries without proper
parameterization
python-sql-injection
Raw SQL query method uses untrusted input without parameterization. Use parameterized queries with ? or $1 placeholders.
typeorm-sql-injection-raw-query
QueryBuilder clause uses string concatenation with untrusted input. Use parameter binding with :name or ? placeholders.
typeorm-unsafe-query-builder
5 Auditoria de código
5 Auditoria de código
Padrões de revisão manual
Ao revisar código manualmente, procure por estes padrões perigosos.
Sinais de alerta para procurar
query = + concatenação de stringsexecute(f"... or execute("..." +raw_query, rawQuery, executeRaw${ or #{ dentro de strings SQL
6 Análise especializada
6 Análise especializada
Como especialistas em segurança pensam
O modelo mental que profissionais de segurança usam ao revisar esta vulnerabilidade.
1
Mapeie os pontos de entrada
Parâmetros de URL, corpos POST, cabeçalhos, cookies, uploads de arquivo.
2
Rastreie o fluxo de dados
Siga a entrada através do código. Ela é sanitizada?
3
Identifique os sumidouros
Where queries are executed: execute(), query()
4
Verifique as fronteiras de confiança
Observe dados armazenados usados em consultas.
Escaneie seu código para SQL Injection
O Shoulder CLI encontra padrões vulneráveis em todo o seu código.