Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. ArcGIS REST Services

Author: Government Digital Service (GDS)

ArcGIS REST Services

What this means

Some configurations of legacy ArcGIS REST Services are susceptible to SQL injection vulnerabilities.

Why this is a problem

SQL injection vulnerabilities occur when applications allow malicious actors to manipulate input parameters in HTTP requests to execute unauthorised SQL commands on the underlying database. Input parameters can include:

  • those found in filtering criteria
  • WHERE clauses
  • sorting fields

If exploited, this can result in:

  • data breaches
  • database corruption
  • privilege escalation

During a data breach, attackers can retrieve sensitive geospatial, user or organisational data from the database. This can cause legal and reputational damage.

Database corruption can happen when attackers execute commands to delete or alter data. This can affect the integrity and reliability of the service.

Privilege escalation is when attackers execute administrative commands or gain unauthorised access to restricted resources.

How to check if the problem is there

To understand if ArcGIS REST Services are vulnerable to SQL injection, an administrator should:

  • check you are running the latest version of ArcGIS
  • review application logs – analyse server logs to look for unusual SQL queries or errors (for example, syntax or database errors) which may indicate attempted SQL injection attacks
  • carry out a thorough review of the application’s source code

How to fix this

To mitigate attacks against ArcGIS SQL injection, make sure you are using the latest version of ArcGIS software. Regularly apply patches and updates provided by Esri to address known vulnerabilities. If you are running a custom version, implement all known security fixes.

Also consider implementing the following mitigations and defence in depth measures:

  • a Web Application Firewall (WAF) or Next Generation Firewall (NGFW) product in front of the service to block malicious requests arriving at the server
  • IP whitelisting
  • geolocation-based IP address blocking
  • micro segmentation in backend infrastructure to limit lateral movement if it’s compromised

You can also monitor web server logs through Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) products to detect host intrusion.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now