SQL Injection vulnerabilites are
quite common and very dangerous. An SQL injection vulnerability can only occur
with a software application that fronts a database. Which just happens to be a
very common occurance. SQL Injection attacks deal with the same problem of
input not being validated. With a bit of understanding of the web application
and a sniffer trace, a malicious user could create an SQL statement that was
not intended and "trick" the web application to return or perform
some other SQL command rather than the intended command.
The first thing that will need to be
done is to understand how the web application interfaces with the backend database.
Either you will have the design documents to work with or you can use a sniffer
utility to determine what is occuring.
See the Tools sniffer applications for more information on types of
sniffer applications.
If a site is vulnerable to SQL
injection a large number of other problems could occur. This is a simple and
easy vulnerability to exploit. All an attacker needs to know is SQL and have
some understanding about how the information is passed.
Example
of an SQL injection vulnerability
To understand how a SQL injection
vulnerability could occur, imagine the following situation. For example say
your website has a method to search for users. A usersearch page is created
which could include something like the following.
<form method="post" action="searchuser.php"> <input type="text" name="username"> <input type="submit" value="Search" name="search"> </form>
This html snippet passes in the
username to the dynamic page searchuser.php. The searchuser.php will take the
username and add it to an SQL statement. Take for example the following php
code snippet.
sqlResult = statement.executeQuery("SELECT * FROM users WHERE username = '" + $username + "';");
Think about this statement and see
if you can figure out what is the problem. You might say the $username should
be validated before it is added to the SQL statement. That is exactly what
should be done. A malicious user could attach additional SQL statements to the
username. This could be done by passing is something like.
admin' OR 1=1 --
Think about what the SQL statement
would look like.
SELECT * FROM users WHERE username = 'admin' OR 1=1 --';
Notice this will either select the
admin account or it will before 1=1 which will result in true. Which in SQL
terms this will return the entire users table. Which the users table could
contain all sorts of other additional sensitive information. This is just one
example of what type of attack could be performed with SQL injection.
How
to protect against SQL injection vulnerabilities
SQL injection vulnerabilities can
occur anytime there is some type of input provided. They do not need to occur
when output is sent. Any input should be validated, checked, and sanitized
against a white list before being used.
Source: http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/SQL-Injection
Source: http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/SQL-Injection
2 comments:
This is pretty clear and simple explanation of SQL Injection attack. Nice work Buddini
Detailed explanation
Post a Comment