O'Reilly logo

Serverless Single Page Apps by Ben Rady

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Query Injection Attacks

The first type of attack we’re going to look at is a query injection attack. You may have heard of a more specific type of this attack: a SQL injection attack. But this particular attack vector can take many forms, and not all of them are based on SQL.

Part of the custom service we created in the previous chapter makes a DynamoDB scan request. In that request, we used the ExpressionAttributeValues parameter to add parameterized values to the query. The FilterExpression string referred to these values. Take another look at that code, and see if anything seems strange to you:

 exports.dynamodb.scan({
  FilterExpression: ​"problemId = :problemId"​,
  ExpressionAttributeValues: {
 ":problemId" ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required