Node.js Security Unleashed: Your Ultimate Defense Guide (5/7)

A Preface

Nowadays, everyone acknowledges that there exists a plethora of possible attacks and exploits, each capable of employing diverse approaches to compromise a targeted system. Thankfully, a significant portion of them derives from the well-established concepts and relies on widely recognized patterns.

Therefore, such threats, though each having its own peculiar characteristics, can still be classified based on their shared traits. By identifying these commonalities, the development community managed to elaborate a comprehensive suite of effective countermeasures against them.

Throughout this article series, we will highlight seven signature attack patterns that we should be concerned about when safeguarding our Node.js applications.

!!! Disclaimer !!!

The information provided in this article is intended for educational purposes only. Readers are encouraged to consult with qualified cybersecurity experts and adhere to their organization’s security procedures when addressing the mentioned attacks. Neither the author nor the hosting platform is responsible for any actions taken by individuals or organizations based on the information contained herein.

Please be prudent, and use the provided information solely with good intentions.

---

Series Agenda:

• 1/7: ⠀Cross-Site Request Forgery (CSRF).

• 2/7: ⠀Server-Side Request Forgery (SSRF).

• 3/7: ⠀Cross-site scripting (XSS)

• 4/7: ⠀Denial of Service (DoS/DDoS).

• 5/7: ⠀SQL Injections (SQLi) — you are here.

• 6/7: ⠀NoSQL Injections (NoSQLi).

• 7/7: ⠀OS Command Injections.

---

Introduction

Greetings, dear readers!

Welcome to the fifth installment of our article series dedicated to the theory and practice of defending against prevalent attack patterns in software development.

In this very segment, we will explore the ins and outs of the SQL Injection threats, and come to know why we, as developers, should be concerned about them.

By the end of this paper, you will be well-equipped with both the general knowledge about SQL Injection attacks and the skills needed to diminish their impact on your applications.

So without further ado, let’s begin our journey…

---

Injections at Large

The term "Injection" describes an attacker’s attempt to send the data in a way that will change the meaning of commands being executed within an interpreter.
... There are lots of interpreters in the typical application environment, such as SQL, LDAP, Operating System, ... and many more. Essentially, Anything with a “command interface” that combines user-given data into a command is susceptible to some form of Injections.

Excerpted from: https://owasp.org/www-community/Injection_Theory

Two articles ago, we have discussed the notorious Cross-Site Scripting (XSS) threat. In its scenarios, an attacker injects malicious code into the application from within its User Interface (via the rendered HTML markup). Such attacks typically do not cause harm to the underlying server infrastructure, but instead are primarily aimed at compromising the service's reputation and affecting its users.

To our pity, however, the arsenal of tools and techniques available to attackers extends far beyond that. There exists another significant category of injection vulnerabilities, which, unlike XSS, exclusively targets the server applications.

This threat class, called Injections, involves situations where a server forwards user input directly to a command or query interpreter (e.g. Database Driver or Command Line) without its preliminary validation and filtering. Knowing such vulnerability exists, an attacker can form a malicious request body that may be used to manipulate the underlying data storage, terminal shell or even the host's operating system itself.

---

Threat Classification

Injections, as a threat, can manifest in various forms, each with its own set of characteristics and potential impacts. However, most of them still may be classified into two principal categories:

• Tampering with Data Sources (like SQLi or NoSQL Injection).

• Tampering with Commands (such as Shell (Command) or Code Injection).

— — — — — — — — — — —

In turn, each of these attacks may be either:

1. In-Band (Correlated) Injections.

   The attacker has already identified a specific vulnerability within the targeted system and has methodically developed a plan to exploit it.

2. Out-of-Band (OOB) Injections.

   The attacker exploits unconventional communication channels (such as DNS lookup) to exfiltrate data from a compromised system. In OOB scenarios, the injection outcomes cannot be deduced through regular means (like the application UI) but can be identified through external methods (hence the term - Out-of-band).
   For example, during SQL Injection a malicious actor can leverage an xp_cmdshell stored procedure to transfer confidential information to a remote endpoint, exposing the sensitive data within.

3. Blind (Inferential) Injections.

   The attacker intends to extract as much insightful data as possible without having a prior plan or knowledge of the targeted system's structure. During this attack, a malicious actor cannot directly observe the results of his actions, primarily relying on indirect trial and error to confirm the success of injection (hence the name - “blind”). These attacks typically appear in three main kinds:

   • Boolean-based Blind - when an attacker exploits the truth or falsehood of logical conditions in SQL queries to extract information. If the system behaves differently based on the injected condition (e.g., returning a page with an error message or not), the attacker can judge the result of his injection.

   • Time-based Blind - when an attacker determines the effect of a malicious query based on how long the application takes to construct a response. In general, such injection is performed with environment-specific procedures that intentionally introduce delays to the response results (e.g. the pg_sleep(5) function in PostgreSQL), thereby normalizing the average response time. If the system takes significantly longer than usual to respond (5 seconds in this case), it suggests that the injected condition is true. If there is no noticeable delay, the condition has not been met.

   • Error-based Blind - when an attacker tricks the application into generating insightful error messages that can reveal information about the database structure or content within. The gathered intelligence can then be used for further service exploitation or blackmailing.

---

Moving onwards to SQL Injection

Let’s begin our in-depth discussion with an overview of the most prevalent injection threat, that revolves around poorly written database integrations. These attacks are usually called SQL Injections (or SQLi for short).

Simply put, SQLi involves the injection of "forged" database queries into vulnerable resources that allow arbitrary execution of SQL statements. The core intent behind these actions is to disrupt the functionality of the associated data source or compromise the confidentiality of the data inside it. Often these attacks modify or delete the existing data, so forth persistently changing the application's content or behavior.

Illustration of a successful SQL Injection attack through the user-facing input

— — — — — — — — — — —

In certain situations, attackers can further escalate the discussed threat, compromising the application server fleet or other infrastructure components.

The majority of SQL Injections follow a rather straightforward scenario:

1. An attacker provides a malicious set of SQL instructions through the user-facing input, which then gets embedded into the API request.

2. If the request isn't blocked by the validation filters, the malicious payload gets embedded into a predefined query template.

3. The composed query gets evaluated, resulting in various negative consequences.

— — — — — — — — — — —

Among others, the consequences of a successful injection attack may include:

• Exposure or complete/partial erasure of the existing sensitive data (both application- and user-specific).

• Execution of dangerous and destructive database operations (like completely shutting down a Database Management System).

• Initiation of the Denial of Service (DoS) attacks on the internal server infrastructure.

• Establishment of an out-of-band replication pipeline between the targeted service and the attacker's data source.

• Unauthorized access to the internal database structure through catalog introspection. The acquired information may then be leaked to a third party or used for planning out future exploitation possibilities.

  For example, in PostgreSQL, an attacker can rely on the following query:

    -- retrives the current version of the database software
    SELECT version();
  
    -- introspects the internal system schema
    -- exposing all existing tables, views, schemas
    -- as well as insightful database metadata
    SET search_path TO information_schema;
    SELECT * FROM tables;
  

---

Real-World Example

To better illustrate a common SQL Injection, imagine a popular e-commerce marketplace that regularly runs sales of its popular offerings. Each offered lot includes a batch of multiple distinct products, and gets replaced daily with another one.

For user convenience, the service includes advanced search & filtering functionality, provided to customers through a webpage's sidebar. When a certain filter gets applied, its value is appended to the current URL as a query parameter.

For example, when a user selects a "Jewellery" product category:
https://www.e-commerce.io/featured?category_filter=Jewellery&<...>

Upon the API request, the populated parameter values are passed directly to the query interpreter that includes them in a database query as-is:

SET search_path TO commerce;

SELECT actual_price, estimated_discount
FROM commerce.products AS p
-- The following query returns first 10 public jewellery products.
-- the default status is "not released", meaning that regular queries
WHERE (p.category = 'Jewellery' AND p.status <> 'not released')
LIMIT 10;

— — — — — — — — — — —

This security oversight is promptly discovered by the market monitoring groups who gladly exploit it to obtain operational data about the upcoming, not yet released lots.

To achieve the desired effect, they used well-known exploitation techniques, such as:

• The URL (ASCII) encoding (converting the special characters like whitespaces to their hexadecimal variants). In the query string below, “%2C” represents a comma, and “+” represents a whitespace.

• The Query Stacking (appending additional commands or conditions that change the query result). In the code piece below, the 42=42 is always truthful, hence the initial category-based conditional check becomes meaningless.

• The Statement Overwriting (commenting out legitimate statements that manipulate the query results). In a query below, the AND p.status <> 'not released' conditional part is excluded from the final SQL statement.

In the end, the following URL is constructed:
https://www.e-commerce.io/featured?category_filter=%2C'+OR+42=42);--cmt&<...>

Which in turn transforms into this SQL statement:

SET search_path TO commerce;

SELECT actual_price, estimated_discount
FROM commerce.products AS p
WHERE (p.category = ',' OR 42=42);--cmt' AND p.status <> 'not released')
LIMIT 10;

— — — — — — — — — — —

Above all, the attacking groups comprise the competitors' marketplaces and arbitral resellers. The first can leverage the obtained pricing information to adjust their marketing campaigns. The second can utilize the obtained insights for bulk purchases of certain products, thereby monopolizing their future sales.

---

Defense Strategies

Now that we have grasped the general execution mechanism behind SQL injections, let us explore the available mitigation strategies that can fortify our applications against them.

1. Avoid exposing an SQL Interpreter.

The main defense strategy is, unsurprisingly, to avoid direct invocations of SQL interpreters in the first place. You should instead use parametrized database interfaces that automatically filter and encode provided dynamic data.

The primary options include:

• The environment-native database clients and connectors, such as node-postgres for PostgreSQL and mysql2 for MySQL.

• The Query Builders (such as Knex.js and Kysely) which operate on a higher layer than the regular database clients, providing simple and consistent interfaces for constructing secure SQL queries.

• The Object Relational Mapping (like TypeORM or Prisma) tools that abstract complex database interactions at the cost of a negligible performance downside.

---

2.1. Validate the incoming Request Data.

Although the assurance of user-provided data validity is not a foolproof solution, it nevertheless remains a crucial defense layer against any kind of payload attack. In particular with SQL Injection, we need to ensure that any request-embedded data does not appear malicious, and can be safely delegated to the SQL interpreter.

So, regarding Input Validation, the current market offers a considerable amount of available options, each having its strengths and weaknesses. The most popular framework-agnostic libraries include Joi, Yup, Ajv and Zod.

In our example, we opted for Zod library that suggests excellent TypeScript support:

/* validator.middleware.ts */
import { z, ZodObject, AnyZodObject, ZodError } from 'zod';
import type { Request, Handler } from 'express';

// defining the base request validation schema
type ZodValidator = z.ZodRawShape & {
  body: AnyZodObject;
  query: AnyZodObject;
  params: AnyZodObject;
};

// a middleware that validates a request against the specified schema
export function validateSchema<
  TSchema extends ZodObject<ZodValidator>
>(schema: TSchema): Handler {
  return async (req, res, next): Promise<unknown> => {
    try {
      const { body, params, query } = req;
      // validating the actual request values
      const result = await schema.safeParseAsync({ body, params, query });

      // if the validation wasn't successful, respond with BadRequest status
      if (!result.success) {
        const errors = result.error.format();
        return res.status(400).json({ error: errors });
      }

      // otherwise, the request will be processed as usual
      next();
    } catch (error) {
      // raising a BadRequest status if unexpected error occurs
      res.status(400);

      if (error instanceof ZodError) {
        return res.json({ error: error.issues });
      }
      res.json({ error });
    }
  };
}

// type that will reflect the schema typing onto the actual request object
export type ZodRequest<TObject extends z.ZodObject<ZodValidator>> = Request<
  z.infer<TObject>['params'],
  // the "ResponseBody" generic type is skipped
  unknown,
  z.infer<TObject>['body'],
  z.infer<TObject>['query']
>;

— — — — — — — — — — —
With this in place, let us create a Zod schema for the user registration use case:

/* registration.spec.ts */
import { validateSchema, type ZodRequest } from './validator.middleware';

// the registration request specification (contract)
const registrationSchema = z.object({
  body: z.object({
    name: z.string().trim(),
    email: z.string().trim().email(),
    password: z.string().min(6).max(24),
  }),
  query: z.object({
    dob: z.date().min(new Date(1900, 0, 1)).optional(),
  }),
  params: z.object({
    userId: z.string().uuid(),
  }),
 // "strict" ensures that presence of any unspecified properties
 // will fail the general validation process
}).strict({
  message: '[Schema Violation] Additional properties detected.',
});

export const registerValidator = validateSchema(registrationSchema);
export type RegisterRequest = ZodRequest<typeof registrationSchema>;

— — — — — — — — — — —
Now, we can hook up the middleware to our route definition:

/* application.ts */
import Express from 'express';
import { registerValidator, RegisterRequest } from './registration.spec';

const app = Express();

app.post(
  'api/register/:userId',
  // applying the validation middleware
  registerValidator,
  (req: RegisterRequest, res) => {
    const { body, params, query } = req;
    // route-specific logic...
    res.sendStatus(200);
  },
);

// other routes...

app.listen(8080, '127.0.0.1');

---

2.2. Sanitize and Escape Dynamic Input.

If your querying logic includes dynamic SQL statements (ones that depend on user-provided payload), please never forward the values directly to the query interpreter. Instead, you may employ the appropriate escaping functions of your database interaction interface, such as the escape() function in the mysql2 MySQL adapter:

import { createPool, escape as escapeSql, escapeId } from 'mysql2/promise';
import Express from 'express';

const connPool = createPool({
  host: '127.0.0.1',
  user: '<your-db-user>',
  password: '<your-db-password>',
  port: 3306,
  // enabling batching in order to specify multiple statements per query
  multipleStatements: true,
});

const app = Express();

app.get('/match-users/:pattern', async (req, res) => {
  try {
    const { pattern } = req.params;
    // manually escaping the provided matching pattern
    const escapedMatch = escapeSql(pattern);

    const [resultRows] = await connPool.query(`
       SELECT u.*
       FROM ${escapeId('customer.users')} AS u
       WHERE CONCAT(u.first_name, ' ', u.last_name) NOT LIKE ${escapedMatch}
       COLLATE utf8mb4_general_ci;
     `);
    res.json({ data: resultRows });
  } catch (error) {
    res.status(500).json({ error });
  }
});

process.on('SIGINT', async () => {
  await connPool.end();
  process.exit(0);
})

app.listen(8080, '127.0.0.1');

This way, even if some attacker were to specify an injection payload:
http://<app-address>/match-users/'John Doe';DROP TABLE customer.users;--

The malicious SQL statements will be treated as regular strings, rendering his attack attempt unsuccessful.

— — — — — — — — — — —

However, this approach is not recommended, and is often replaced by the
prepared queries that are less error-prone and generally easier to work with.

---

3. Leverage Prepared Queries.

Prepared queries (or parametrized statements) is a practical concept that propagates the separation of the query templates (usual SQL instructions) from the dynamic values they depend upon (user-given payload). It assumes that both components should be treated as distinct entities; i.e. interpreted and escaped individually and then composed into a single meaningful query.

Most low-level database adapters provide this feature naively, as well as all higher-level Query Builders and ORMs that completely take this responsibility upon themselves. This approach is much safer than the general string concatenation or interpolation, as it allows you to benefit from the built-in sanitization of the underlying database connector.

But please note that to utilize this functionality, we often need to rewrite the initially insecure queries using named placeholders. These placeholders, typically indicated with the question mark (?) symbol, instruct the database interface to automatically escape the input passed to it before finalizing the query.

Here is an example of using the mysql2 MySQL adapter to resolve the issue from the E-Commerce Marketplace example discussed above:

import { createPool } from 'mysql2/promise';
import Express from 'express';

const app = Express();

const connPool = createPool({
  host: '127.0.0.1',
  user: 'your_database_user',
  password: 'your_database_password',
  database: 'your_database_name',
  port: 3306,
});

app.get('/products', async (req, res) => {
  const { productCategory } = req.query;

  const queryResults = await connPool.query(
    `SELECT actual_price, estimated_discount
     FROM e-commerce.active_products AS p
     WHERE p.category = ? AND p.status = 'not released'
    `,
    [productCategory],
  );

  res.status(200).json({ data: queryResults });
});

process.on('SIGINT', async () => {
  await connPool.end();
  process.exit(0);
});

app.listen(8080, '127.0.0.1');

With the code changes above, the outlined scenario would be impossible to implement on the attacker side, as any category value (no matter malicious or not) will be converted to a plain string that won't alter the resulting SQL query.

---

4. Adopt the Least Privilege Principle.

The Principle of Least Privilege (abbr. PoLP) is a crucial security aspect of any AuthN/AuthZ mechanism. It involves limiting the permissions of database users to the minimum necessary for their tasks.

For example, a user who mediates interactions between a web application and the database itself might not need access to its entirety. Instead, his access rights should be narrowed down to the objects he really needs (tables, views etc.) to reduce the impact of potential privilege misuse.
So, always try to limit the database user's privileges to only what is necessary, and avoid using application-wide administrative accounts at all costs.

— — — — — — — — — — —

Let's see how we can start implementing the PoLP with two examples:

1. Consider a scenario where your application interacts with the PostgreSQL database. Instead of using a superuser account with broad permissions, create dedicated roles for narrow, specific tasks. This role-based approach provides flexible and fine-grained control over who can access what within the database:

-- Create a read-only role
CREATE ROLE ro_commerce WITH LOGIN PASSWORD '<your-password>';
GRANT CONNECT ON DATABASE commerce TO ro_commerce;

GRANT SELECT
ON ALL TABLES
IN SCHEMA products
TO ro_commerce;


-- Create a write-only role
CREATE ROLE wo_commerce WITH LOGIN PASSWORD '<another-password>';
GRANT CONNECT ON DATABASE commerce TO wo_commerce;

GRANT INSERT, UPDATE, DELETE
ON ALL TABLES
IN SCHEMA products
TO wo_commerce;

— — — — — — — — — — —

2. Another common technique is to use read-only SQL Views to restrict user access to specific columns, especially in joined datasets with sensitive information. This disallows access to the underlying tables, reducing the risk of unauthorized modifications:

CREATE TABLE IF NOT EXISTS products.featured_products (
    id BIGSERIAL PRIMARY KEY,
    title VARCHAR(50) NOT NULL,
    sku VARCHAR(10) NOT NULL
);

CREATE TABLE IF NOT EXISTS products.product_details (
    id BIGSERIAL,
    prod_id BIGINT,
    description TEXT NULL DEFAULT '',
    price DECIMAL(10, 2) NOT NULL,

    CONSTRAINT prod_details_pk PRIMARY KEY (id, prod_id),

    CONSTRAINT prod_id_fk FOREIGN KEY(prod_id)
    REFERENCES products.featured_products(id)
);


-- Create a view that exposes only necessary columns
-- You can also use a materialized view for persistent caching
CREATE VIEW products.featured_offerings AS (
  SELECT fp.*, pd.description, pd.price
  FROM products.featured_products AS fp
  JOIN products.product_details AS pd ON fp.id = pd.prod_id
);

-- Grant access to the view for a specific user role
CREATE ROLE ro_featured WITH LOGIN PASSWORD '<your-password>';
GRANT SELECT ON products.featured_offerings TO ro_featured;

— — — — — — — — — — —

In addition to the methods above, you can adhere to the following best practices:

1. Regularly re-evaluate already assigned user/group permissions.

2. Deactivate user accounts that are no longer actively utilized.

3. Revise the permissions assigned to administrative groups, and closely monitor their activities.

4. Maintain an audit trail of all the activities within your DBMS infrastructure.

---

5. Encapsulate the Database Logic with Stored Procedures.

The concept of Stored Procedures has been around for quite a long time but has never fallen off its popularity and significance in securing database interactions.

It offers a way to encapsulate the data-related business logic within the database itself, thus preventing it from ever becoming a vulnerability target for attackers. At the time of writing this article, all major RDBMS (Postgres, MySQL, SQL Server via T-SQL and Oracle via PL/SQL) provide full support for the stored procedures, and only SQLite falls behind.

So, by invoking stored procedures from the application's codebase, you can fully ensure that critical operations are handled securely and attackers have no conventional means to access the underlying SQL queries.

For example, let's create a stored procedure (function) that retrieves an existing employee’s salary within a Postgres database:

CREATE OR REPLACE
FUNCTION get_employee_salary(employee_id integer)
RETURNS numeric AS -- return type - numeric value

-- start of the function definition
$$
DECLARE
    -- declaring a variable that will server as a salary container
    salary numeric;
-- function body
BEGIN
    -- utilizing native parameterized queries
    EXECUTE 'SELECT emp_salary FROM internal.employees WHERE emp_id = $1'
        INTO salary
        USING employee_id;

    -- verifying whether employee exists, return his salary if so
    IF FOUND THEN
        RETURN salary;
    ELSE
        -- handling the case where the employee doesn't exist
        RAISE EXCEPTION 'Employee with ID % not found', employee_id;
    END IF;
END;
-- end of the function definition
$$

LANGUAGE plpgsql;

With stored procedures, you can easily describe the domain use cases without exposing raw SQL queries in your application's codebase.

---

6. Elevate Database Security through Automation.

Please keep in mind that, while manual security measures provide a decent level of protection, they can secure a database only up to a certain point. To establish more reliable defenses, we need to be able to automate specific processes. Among others, these include database Penetration Testing and Audit Logging.

— — — — — — — — — — —

Automate SQL Injection Testing.

The sqlmap is a powerful pen-testing command-line utility that automates the process of detecting and exploiting SQL injection vulnerabilities. It is often used to assess the resiliency of specified resources by simulating a suite of common injection attacks against it. So, when you need to identify flawed database interactions, this tool can come in handy.

Once installed, you can run the sqlmap CLI against your application's endpoints to check for SQLi vulnerabilities. For example:

# Run sqlmap suite against a target resource URL
sqlmap \
  -u "http:/<your-app-url>/<your-resource-path>" \
  --risk 3 --level 5 --batch

The parameters used in this example are as follows:

• -u: Specifies the target URL.

• --risk: Sets the risk level for the injection tests (0-3, where 3 is the most risky).

• --level: Defines the depth of tests to be performed (1-5, where 5 is the most comprehensive).

• --batch: Enables batch mode for automatic testing without user interaction.

— — — — — — — — — — —

Automate Database Audit Logging.

Database management systems often provide auditing extensions that allow you to monitor and log database activities. These extensions can help you track potentially malicious queries and unauthorized access attempts.

For example, PostgreSQL offers the pgAudit extension, which enables automatic activity auditing for your database:

-- Plug in the installed "pgAudit" extension
CREATE EXTENSION IF NOT EXISTS pgaudit;

-- Configure pgAudit to log all DQL and DML statements
ALTER SYSTEM SET pgaudit.log = 'read, write';

-- Alternatively, instruct pgAudit to log executed sql for ALL tables:
-- ALTER SYSTEM SET pgaudit.log = 'all, -misc';

-- Reload PostgreSQL for changes to take effect
SELECT pg_reload_conf();

By incorporating database auditing tools like pgAudit into your security strategy, you gain control over monitoring and assessing your application's security status. Moreover, regular application audits not only help uncover latent vulnerabilities but also provide the valuable insights necessary to address potential threats.

---

7. Incorporate a Web Application Firewall.

Even following well-established best practices will not prevent you from some unexpected issues like SQL injection. And so, without permanent monitoring and swift reactions, it's only a matter of time before a new and troublesome attack will catch your infrastructure off guard. But don't fret, as there exists a viable solution to address this concern - Web Application Firewall (WAF).

The WAF is a specialized software designed to secure applications against a diverse range of potential threats, with a primary mission of thwarting (D)DoS, XSS, and, of course, various injection-based attacks. The WAF essentially acts as a barrier, positioned between the server it's installed on and the incoming Internet traffic. It excels at recognizing and filtering out malicious request patterns, ensuring they never breach the preliminary shield and reach the services beyond.

Firewalls take pride in their expansive threat intelligence networks, which get regularly updated with newly discovered entries. This ongoing enhancement allows them to effectively neutralize the most up-to-date attacks, while also minimizing the risk of flagging the legitimate traffic as false positives.

Moreover, the modern iteration of WAFs goes beyond mere threat identification and blocking. They integrate more comprehensive solutions that both augment detection and employ advanced heuristics. For example, when confronted with an input that raises suspicion but may not be entirely malicious, the WAF can intelligently reference the reputation or historical behavior of the incoming IP. This adaptive approach enables the firewall to make informed decisions about blocking requests, and so forth to provide an extra layer of defense against potential attacks.

However, bear in mind that the adoption of a comprehensive WAF security suite often comes at an additional cost. So although a firewall is deemed a de-facto security facade, we advise you to thoroughly assess the features offered by each Firewall provider, and take a weighted decision tailored to your specific use case. It is also recommended to consult with your project team or organization to devise the most suitable security strategy based on the existing non-functional requirements.

Post Scriptum: To familiarize yourself with the available Web Application Firewall options on the current market, please refer to an excellent resource providing a comparative analysis of various well-known WAF vendors.

---

Conclusion

In this part of our series, we've taken a deep dive into the world of SQL Injection threats, which has provided us with a solid understanding of this attack pattern, as well as essential knowledge of mitigation mechanisms that constrain such threats.

Please keep in mind that countermeasures described here are imperfect on their own, and require their application-specific combination to serve as a reliable layer of defense.

So, with this, you are now well-equipped to secure any server-side applications and get ready to continue exploring the intricacies of SQL Injections on your own.

Stay vigilant and embrace a holistic approach to server-side security.

Additional Resources

For further exploration of the SQLi vulnerabilities and security best practices, you can refer to these external resources:

• OWASP: SQL Injection Introduction

• Prisma's Data Guide: Query Builders vs ORMs

• Teleport: The Principle of Least Privilege

• pgAudit documentation

• sqlmap documentation

• eSecurity Planet: WAF Vendor Comparison

In the next article…

Very soon, we will continue to enhance our comprehension of the prevalent attack patterns within the domain of web security. Specifically, we will explore the core principles of another database-level threat, known as NoSQL Injection. This threat gets progressively more prevalent with the rising popularity of non-relational data sources.

If that sounds interesting, stay tuned for further updates!
Until then, stay secure and happy coding!