Security

  • Risk: It is possible to view, modify or delete database entries and tables

  • Cause: Sanitation of hazardous characters was not performed correctly on user input

  • Fix: Review possible solutions for hazardous character injection

  • Reasoning: The test result seems to indicate a vulnerability because it shows that values can be appended to parameter values, indicating that they were embedded in an SQL query. In this test, three (or sometimes four) requests are sent. The last is logically equal to the original, and the next-to-last is different. Any others are for control purposes. A comparison of the last two responses with the first (the last is similar to it, and the next-to-last is different) indicates that the application is vulnerable.

How to fix

https://sequelize.org/v5/manual/raw-queries.html

make sure to ‘replace’/‘bind’