Threats
Select a threat to view recommended mitigations
SQL Injection
high
3 mitigations
Cross-Site Scripting (XSS)
medium
2 mitigations
Insecure Direct Object References
medium
2 mitigations
Sensitive Data Exposure
high
3 mitigations
Broken Authentication
high
3 mitigations
Mitigation Types
Types of mitigations available
Code Changes
5
Architecture
3
Configuration
2
Feature
2
Process
1
SQL Injection Mitigations
high severity
Recommended mitigations for SQL Injection
Use Parameterized Queries
Effectiveness: high
Effort: medium
Code Mitigation
Use prepared statements and parameterized queries to ensure that user input is properly sanitized before being included in SQL queries.
// Instead of this (vulnerable):
const query = "SELECT * FROM users WHERE username = '" + username + "'";
db.execute(query);
// Do this (secure):
const query = "SELECT * FROM users WHERE username = ?";
db.execute(query, [username]);
Implementation Steps
- Identify all affected components and code areas
- Create a test plan to verify the mitigation
- Implement the changes in a development environment
- Test thoroughly to ensure the threat is mitigated
- Deploy to production with appropriate monitoring
Input Validation
Effectiveness: medium
Effort: medium
Code Mitigation
Implement strict input validation to reject potentially malicious input before it reaches the database layer.
// Example input validation
function validateInput(input) {
// Remove any potentially dangerous characters
const sanitized = input.replace(/[;'"`\]/g, '');
// Check if input matches expected pattern
const isValid = /^[a-zA-Z0-9_-]+$/.test(sanitized);
if (!isValid) {
throw new Error('Invalid input format');
}
return sanitized;
}
// Usage
try {
const safeInput = validateInput(userInput);
// Proceed with using safeInput
} catch (error) {
// Handle validation error
console.error(error.message);
}
Implementation Steps
- Identify all affected components and code areas
- Create a test plan to verify the mitigation
- Implement the changes in a development environment
- Test thoroughly to ensure the threat is mitigated
- Deploy to production with appropriate monitoring
Use ORM
Effectiveness: high
Effort: high
Architecture Mitigation
Use an Object-Relational Mapping (ORM) library that handles SQL escaping automatically.
Implementation Steps
- Identify all affected components and code areas
- Create a test plan to verify the mitigation
- Implement the changes in a development environment
- Test thoroughly to ensure the threat is mitigated
- Deploy to production with appropriate monitoring