Improper Neutralization of Special Elements in Data Query Logic
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-943: Improper Neutralization of Special Elements in Data Query Logic |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from the event object is being used directly in DynamoDB query filters without validation or sanitization. This allows attackers to manipulate queries by injecting malicious data into filter parameters.
Impact#
An attacker could craft requests that alter database queries, potentially exposing, modifying, or deleting data they shouldn’t have access to. This can lead to data breaches, unauthorized access, or disruption of business operations.