SQL Injection

SQL Injection (SQLi shortly) is a technique to run arbitrary SQL code. Most of attacks happen targeting backend servers and related databases, but it can be happened if the program uses a database.

1. References

OWASP Top 10:2021 - Injection: Several injection techniques, including Command Injection and XSS, were merged into this.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-564: SQL Injection: Hibernate

Note: Hibernate is a ORM tool for Java and JSP.
Research on Countermeasure of SQL Injection Attack, Sunghyuck Hong, 2019

1.1. Special Reports from EQST team, SK Shielders

EQST team released a high quality reports about SQL Injection. The EQST team is a research team of SK Shielders. All reports are written in Korean.

웹 취약점과 해킹 매커니즘 #2 SQL Injection 개요 / Archive.org
웹 취약점과 해킹 매커니즘 #3 UNION SQL Injection 개요 / Archive.org
웹 취약점과 해킹 매커니즘 #4 Error Based SQL Injection 개요 / Archive.org
웹 취약점과 해킹 매커니즘 #5 Blind SQL Injection 개요 / Archive.org
웹 취약점과 해킹 매커니즘 #6 SQL Injection 보안 대책 / Archive.org

2. See Also

SQLite
PostgreSQL