Preventing database injection vulnerabilities by using ORM/ODM libraries or other DAL packages

One Paragraph Explainer

When creating your database logic you should watch out for eventual injection vectors that could be exploited by potential attackers. Writing database queries manually or not including data validation for user requests are the easiest methods to allow for these vulnerabilities. This situation is however easy to avoid when you use suitable packages for validating input and handling database operations. In many cases your system will be safe and sound by using a validation library like joi or yup and an ORM/ODM from the list below. This should guarantee the use of parameterized queries and data bindings to ensure the validated data is properly escaped and handled without opening unwanted attack vectors. Many of these libraries will ease your life as a developer by enabling many useful features like not having to write complex queries manually, supplying types for language-based type systems or converting data types to wanted formats. To conclude, always validate any data you are going to store and use proper data-mapping libraries to handle the dangerous work for you.

Libraries

Example - NoSQL query injection

  1. // A query of
  2. db.balances.find({
  3.   active: true,
  4.   $where: (obj) => obj.credits - obj.debits < userInput
  5. });
  7. // Where userInput equals
  8. "(function(){var date = new Date(); do{curDate = new Date();}while(curDate-date<10000); return Math.max();})()"
  10. // will trigger a denial of service
  12. // Another user input might inject other logic resulting in the database exposing sensitive data

Example - SQL injection

  1. SELECT username, firstname, lastname FROM users WHERE id = 'user input';
  3. SELECT username, firstname, lastname FROM users WHERE id = 'evil'input';

Additional resources

OWASP SQL Injection

OWASP SQL Injection Prevention Cheat Sheet

Testing for NoSQL Injection

What other bloggers say

Risks of NoSQL injection from the OWASP wiki

NoSQL injection attacks may execute in different areas of an application than traditional SQL injection. Where SQL injection would execute within the database engine, NoSQL variants may execute during within the application layer or the database layer, depending on the NoSQL API used and data model. Typically NoSQL injection attacks will execute where the attack string is parsed, evaluated, or concatenated into a NoSQL API call.