Scribd
Upload
32 views2 pages

CWE - CWE-89 - Improper Neutralization of Special Elements Used in An SQL Command ('SQL Injection') (4.14)

Uploaded by

vinaybhadeshiya6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views2 pages

CWE - CWE-89 - Improper Neutralization of Special Elements Used in An SQL Command ('SQL Injection') (4.14)

Uploaded by

vinaybhadeshiya6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that


can become vulnerabilities

Home About ▼ CWE List ▼ Mapping ▼ Top-N Lists ▼ Community ▼ News ▼ Search

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL


Injection')
Weakness ID: 89
Vulnerability Mapping: ALLOWED
Abstraction: Base

Mapping
View customized information: Conceptual Operational Complete Custom
Friendly

Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it
does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to
a downstream component.
Extended Description
Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those
inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks,
or to insert additional statements that modify the back-end database, possibly including execution of system commands.
SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited,
and as such, any site or product package with even a minimal user base is likely to be subject to an attempted attack of this
kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.
Relationships
Relevant to the view "Research Concepts" (CWE-1000)
Nature Type ID Name
ChildOf 943 Improper Neutralization of Special Elements in Data Query Logic
ParentOf 564 SQL Injection: Hibernate
CanFollow 456 Missing Initialization of a Variable

Relevant to the view "Software Development" (CWE-699)


Nature Type ID Name
MemberOf 137 Data Neutralization Issues

Relevant to the view "Weaknesses for Simplified Mapping of Published Vulnerabilities" (CWE-1003)
Relevant to the view "Architectural Concepts" (CWE-1008)
Relevant to the view "CISQ Quality Measures (2020)" (CWE-1305)
Relevant to the view "Weaknesses in OWASP Top Ten (2013)" (CWE-928)
Memberships

Nature Type ID Name


MemberOf 635 Weaknesses Originally Used by NVD from 2008 to 2016
MemberOf 713 OWASP Top Ten 2007 Category A2 - Injection Flaws
MemberOf 722 OWASP Top Ten 2004 Category A1 - Unvalidated Input
MemberOf 727 OWASP Top Ten 2004 Category A6 - Injection Flaws
MemberOf 751 2009 Top 25 - Insecure Interaction Between Components
MemberOf 801 2010 Top 25 - Insecure Interaction Between Components
MemberOf 810 OWASP Top Ten 2010 Category A1 - Injection
MemberOf 864 2011 Top 25 - Insecure Interaction Between Components
MemberOf 884 CWE Cross-section
MemberOf 929 OWASP Top Ten 2013 Category A1 - Injection
MemberOf 990 SFP Secondary Cluster: Tainted Input to Command
MemberOf 1005 7PK - Input Validation and Representation
MemberOf 1027 OWASP Top Ten 2017 Category A1 - Injection
MemberOf 1131 CISQ Quality Measures (2016) - Security
MemberOf 1200 Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors
MemberOf 1308 CISQ Quality Measures - Security
MemberOf 1337 Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf 1340 CISQ Data Protection Measures
MemberOf 1347 OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOf 1350 Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf 1387 Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses
MemberOf 1409 Comprehensive Categorization: Injection
MemberOf 1425 Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses

Vulnerability Mapping Notes


Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities)

Reason: Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes
of vulnerabilities.
Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a
mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Notes
Relationship
SQL injection can be resultant from special character mismanagement, MAID, or denylist/allowlist problems. It can be
primary to authentication errors.
Taxonomy Mappings

Mapped Taxonomy Name Node ID Fit Mapped Node Name


PLOVER SQL injection
7 Pernicious Kingdoms SQL Injection
CLASP SQL injection
OWASP Top Ten 2007 A2 CWE More Specific Injection Flaws
OWASP Top Ten 2004 A1 CWE More Specific Unvalidated Input
OWASP Top Ten 2004 A6 CWE More Specific Injection Flaws
WASC 19 SQL Injection
Software Fault Patterns SFP24 Tainted input to command
OMG ASCSM ASCSM-CWE-
89
SEI CERT Oracle Coding IDS00-J Exact Prevent SQL injection
Standard for Java

Related Attack Patterns

CAPEC-ID Attack Pattern Name


CAPEC-108 Command Line Execution through SQL Injection
CAPEC-109 Object Relational Mapping Injection
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CAPEC-470 Expanding Control over the Operating System from the Database
CAPEC-66 SQL Injection
CAPEC-7 Blind SQL Injection

Content History

Submissions
Submission Date Submitter Organization
2006-07-19 PLOVER
(CWE Draft 3, 2006-07-19)
Modifications
Previous Entry Names

You might also like