New CS: GraphQL by bigshebang · Pull Request #434 · OWASP/CheatSheetSeries (original) (raw)

Again, I don't like the idea of narrowing Injections to SQL Injection.
GraphQL is widely used with NoSQL databases and LDAP queries, OS commands, XML parsers, and ORM/ODM injections can not be neglected.

While looking for public API incidents to include in the OWAS API Security Top 10, we found several OS commands.

When handling input meant to be passed to another interpreter (e.g. SQL/NoSQL, OS, LDAP), always prefer safe APIs with support for parameterized statements. If such APIs are not available, always escape/encode input data according to the target interpreter.

• Use prepared statements for querying as a way to prevent SQL Injection.
• Escape/Encode input data according to the target interpreter e.g. OS, LDAP.
• Choose a well-documented and actively maintained escaping/encoding library.