Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| OWASP | A01:2017 - Injection |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description#
Building raw SQL queries by directly inserting user input (e.g., string concatenation or template literals) in Sequelize can allow attackers to inject malicious SQL. Always use parameterized queries or data binding to safely include user data in SQL statements.
Impact#
If exploited, attackers could manipulate the database by executing unauthorized SQL commands, leading to data theft, modification, or deletion. This can compromise sensitive information, damage data integrity, and potentially give attackers control over the application’s backend database.