A vulnerability scanner reports that a web application is susceptible to SQL injection attacks. The development team states that the affected endpoint is only accessible to authenticated users. What is the correct risk assessment?
- The finding should be downgraded to low severity due to authentication controls
- SQL injection is still high-risk regardless of access requirements because authenticated users could be compromised ✓
- The vulnerability is not a concern because only authenticated users can access it
- SQL injection vulnerabilities never warrant fixing if authentication is in place
Correct answer: SQL injection is still high-risk regardless of access requirements because authenticated users could be compromised
Option B is correct because SQL injection is classified as a high-severity vulnerability regardless of whether an authentication gate exists, since authenticated accounts can be stolen, phished, or compromised through credential theft, session hijacking, or insider threats, allowing an attacker to reach and exploit the vulnerable endpoint. Authentication reduces the attack surface but does not eliminate the underlying vulnerability or its potential impact, which can include data exfiltration, data manipulation, and authentication bypass. Option A is incorrect because authentication controls are a compensating measure, not a remediation, and downgrading severity based on access controls alone understates residual risk. Option C is incorrect for the same reason: the presence of authentication does not make SQL injection a non-concern, as authenticated sessions are routinely compromised. Option D is incorrect and represents a dangerously flawed security posture; SQL injection vulnerabilities must be remediated at the code level regardless of access controls.
Topic: · sql injection, vulnerability assessment, risk rating, web application security