SQL Injection (CWE-89)
SQL injection is a code injection technique that exploits vulnerabilities in the interface between a web application and its database. It remains one of the most critical and common web vulnerabilities.
How SQL Injection Works
An attacker inserts malicious SQL code into input fields that are directly concatenated into database queries. When the application executes the manipulated query, the attacker can read, modify, or delete data.
Vulnerable Code
// User input directly in query string
const userId = req.params.id;
const query = `SELECT * FROM users WHERE id = '${userId}'`;
db.query(query);Attack Payload
# Input: ' OR '1'='1' --
# Resulting query:
# SELECT * FROM users WHERE id = '' OR '1'='1' --'
# Returns ALL users in the databaseSecure Code
// Parameterized query - input treated as data, not code
const userId = req.params.id;
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);Types of SQL Injection
In-band SQLi: Results visible in the response (UNION-based, error-based)
Blind SQLi: No visible output, but behavior changes (boolean-based, time-based)
Out-of-band SQLi: Data exfiltrated via DNS or HTTP requests
Prevention
- Always use parameterized queries or prepared statements
- Use ORM frameworks (Sequelize, Prisma, SQLAlchemy, Hibernate)
- Apply input validation and whitelist allowed characters
- Use least-privilege database accounts
- Enable WAF rules for SQL injection patterns
VEXLIT Detection
VEXLIT uses taint analysis to trace user input from source (req.params, req.query, req.body) to sink (db.query, pool.execute) across function boundaries. Detection works across 34 languages with framework-aware rules for Express, Spring, Django, Flask, Rails, and more.
npx @vexlit/cli scan . --fail-on warning