Query Injection Attacks
The first type of attack we’re going to look at is a query injection attack. You may have heard of a more specific type of this attack: a SQL injection attack. But this particular attack vector can take many forms, and not all of them are based on SQL.
Part of the custom service we created in the previous chapter makes a DynamoDB scan request. In that request, we used the ExpressionAttributeValues parameter to add parameterized values to the query. The FilterExpression string referred to these values. Take another look at that code, and see if anything seems strange to you:
| | exports.dynamodb.scan({ |
| | FilterExpression: "problemId = :problemId", |
| | ExpressionAttributeValues: { |
| | ":problemId" ... |
Get Serverless Single Page Apps now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
