Home > Mobile >  DynamoDB - Securely Put/Update to avoid "SQL" Injection (Python)?
DynamoDB - Securely Put/Update to avoid "SQL" Injection (Python)?

Time:11-08

I have a Python function that receives user input with no character limitations (spaces, special chars, etc. all allowed). It then writes the input to a DynamoDB table.

In relational SQL, any write transaction to a database should be parameterized to avoid SQL injection. Are there any similar best practices to avoid security issues when writing user-provided data in Dynamo?

CodePudding user response:

I think there is no "SQL injection" in DynamoDB

The best practice to interact with DynamoDB tables that using the AWS SDK with the low level APIs

There is only your Identity permission and your code can modify the data in DynamoDB, no one else with some kind of scripts can do that

CodePudding user response:

Injection attacks are absolutely possible in NoSQL databases!

The best thing you can do is validate your input and then escape the string parameters

The impact of an injection attack in DynamoDB might not be so severe. Still, you can sometimes retrieve results you were not supposed to recover, which could be problematic or not depending on the business case. This can be used to steal data or overload the system.

Example:

If you are using the greater than operator it performs a lexicographical comparison and if you provide a special char with low ASCII value you can exploit it.

dynamo.scan(TableName = 'my-table', Select = 'ALL_ATTRIBUTES', 
                ScanFilter = {'username': {"AttributeValueList": [{"S": "*"}],
                                             "ComparisonOperator": "GT"}})

if the value in AttributeValueList is injected as an unescaped parameter, this can be exploited very easily

  • Related