WHAT IS SQL INJECTION?
SQL Injection is one of the many web attack mechanisms used by hackers
to steal data from organizations. It is perhaps one of the most common
application layer attack techniques used today. It is the type of attack
that takes advantage of improper coding of your web applications that
allows hacker to inject SQL commands into say a login form to allow them
to gain access to the data held within your database.
In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.
Web applications allow legitimate website visitors to submit and
retrieve data to/from a database over the Internet using their preferred
web browser. Databases are central to modern websites – they store data
needed for websites to deliver specific content to visitors and render
information to customers, suppliers, employees and a host of
stakeholders. User credentials, financial and payment information,
company statistics may all be resident within a database and accessed by
legitimate users through off-the-shelf and custom web applications. Web
applications and databases allow you to regularly run your business.
Take a simple login page where a legitimate user would enter his
username and password combination to enter a secure area to view his
personal details or upload his comments in a forum.
Once an attacker realizes that a system is vulnerable to SQL Injection,
he is able to inject SQL Query / Commands through an input form field.
This is equivalent to handing the attacker your database and allowing
him to execute any SQL command including DROP TABLE to the database!
Here is a sample basic HTML form with two inputs, login and password.
In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.
SQL Injection: An In-depth Explanation
Web applications allow legitimate website visitors to submit and
retrieve data to/from a database over the Internet using their preferred
web browser. Databases are central to modern websites – they store data
needed for websites to deliver specific content to visitors and render
information to customers, suppliers, employees and a host of
stakeholders. User credentials, financial and payment information,
company statistics may all be resident within a database and accessed by
legitimate users through off-the-shelf and custom web applications. Web
applications and databases allow you to regularly run your business.
SQL
Injection is the hacking technique which attempts to pass SQL commands
(statements) through a web application for execution by the backend
database. If not sanitized properly, web applications may result in SQL
Injection attacks that allow hackers to view information from the
database and/or even wipe it out.
Such features as login pages,
support and product request forms, feedback forms, search pages,
shopping carts and the general delivery of dynamic content, shape modern
websites and provide businesses with the means necessary to communicate
with prospects and customers. These website features are all examples
of web applications which may be either purchased off-the-shelf or
developed as bespoke programs.
These website features are all
susceptible to SQL Injection attacks which arise because the fields
available for user input allow SQL statements to pass through and query
the database directly.
SQL Injection: A Simple Example
Take a simple login page where a legitimate user would enter his
username and password combination to enter a secure area to view his
personal details or upload his comments in a forum.
When the
legitimate user submits his details, an SQL query is generated from
these details and submitted to the database for verification. If valid,
the user is allowed access. In other words, the web application that
controls the login page will communicate with the database through a
series of planned commands so as to verify the username and password
combination. On verification, the legitimate user is granted appropriate
access.
Through SQL Injection, the hacker may input specifically
crafted SQL commands with the intent of bypassing the login form
barrier and seeing what lies behind it. This is only possible if the
inputs are not properly sanitised (i.e., made invulnerable) and sent
directly with the SQL query to the database. SQL Injection
vulnerabilities provide the means for a hacker to communicate directly
to the database.
The technologies vulnerable to this attack are
dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All
an attacker needs to perform an SQL Injection hacking attack is a web
browser, knowledge of SQL queries and creative guess work to important
table and field names. The sheer simplicity of SQL Injection has fuelled
its popularity.
What is the impact of SQL Injection?
Once an attacker realizes that a system is vulnerable to SQL Injection,
he is able to inject SQL Query / Commands through an input form field.
This is equivalent to handing the attacker your database and allowing
him to execute any SQL command including DROP TABLE to the database!
An
attacker may execute arbitrary SQL statements on the vulnerable system.
This may compromise the integrity of your database and/or expose
sensitive information. Depending on the back-end database in use, SQL
injection vulnerabilities lead to varying levels of data/system access
for the attacker. It may be possible to manipulate existing queries, to
UNION (used to select related information from two tables) arbitrary
data, use subselects, or append additional queries.
In some
cases, it may be possible to read in or write out to files, or to
execute shell commands on the underlying operating system. Certain SQL
Servers such as Microsoft SQL Server contain stored and extended
procedures (database server functions). If an attacker can obtain access
to these procedures, it could spell disaster.
Unfortunately the
impact of SQL Injection is only uncovered when the theft is discovered.
Data is being unwittingly stolen through various hack attacks all the
time. The more expert of hackers rarely get caught.
Example of a SQL Injection Attack
Here is a sample basic HTML form with two inputs, login and password.
<form method="post" action="http://testasp.acunetix.com/login.asp">
<input name="tfUName" type="text" id="tfUName">
<input name="tfUPass" type="password" id="tfUPass">
</form>
The easiest way for the login.asp to work is by building a database query that looks like this:
SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password'
If
the variables $username and $password are requested directly from the
user's input, this can easily be compromised. Suppose that we gave "Joe"
as a username and that the following string was provided as a password:
anything' OR 'x'='x
SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'
As
the inputs of the web application are not properly sanitised, the use
of the single quotes has turned the WHERE SQL command into a
two-component clause.
The 'x'='x' part guarantees to be true regardless of what the first part contains.
This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!
How do I prevent SQL Injection attacks?
- Firewalls and similar intrusion detection mechanisms provide little defense against full-scale web attacks. Since your website needs to be public, security mechanisms will allow public web traffic to communicate with your databases servers through web applications. Isn't this what they have been designed to do?
- Patching your servers, databases, programming languages and operating systems is critical but will in no way the best way to prevent SQL Injection Attacks.
Post a Comment