No announcement yet.

SQL Injection

  • Filter
  • Time
  • Show
Clear All
new posts

  • SQL Injection

    A SQL Injection attack is an attack aimed at applications that uses a SQL database as a back end service. This kind of attack is not limited to web applications but any vulnerable application that interacts with a database. The attack relies on inserting well-formed SQL statements that will fit into the SQL query inside the application without breaking the expected syntax and may allow the attacker to do queries to pull information from the database. The attacker is limited to interact with data in the database that the user of the application is allowed to access. Procedures, functions and other database related functionality may affect the result of such an attack but in general, if the active database user will allow it, the attacker may also be able to alter or delete data and in some cases dump the complete database.
    Due to the ubiquity of SQL, this attack is very portable between platforms and database systems and generally only have minor differences. The attack is, as with most injection attacks, made possible by poor sanitizing of user input, both client side, server side and in installable applications and not using prepared SQL statements. The goal is to make information that was meant to be user input interact with the application in such a way that it becomes part of the SQL query and in that manner give the attacker control to manipulate information in the database.
    • SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
    • SQL injection is at the source of many of the high-level or well-known attacks on the Internet.
    • The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data.
    • The usual cause of this type of flaw is improper or absent input validation, thus allowing code to pass unimpeded to the database without verification.

    An attacker may not only alter the query within the application but may also add additional queries using batch execution. This is done by adding new queries to the existing query inside the application by dividing the existing and the new query with a semicolon. Most databases support this technique for stacking queries.

    One way to prevent SQL injection attacks is to use input validation to the application, which ensures that only approved characters are accepted. Whitelist which characters are safe to pass to the application and if necessary blacklist the ones that are considered unsafe or dangerous. Even though the issue is not in the database, using stored procedures and only only giving the database user minimal permissions may minimize the impact of such an attack.

    In general input validation should refer to sanitizing data before being accepted by an application on the client side where filtering refers to preventing invalid input from making it to the server.

    Some of the results of a successful attack could be
    • Successfully authenticating as an existing user without knowing the password.
    • Identity spoofing through manipulating databases to insert bogus or misleading information such as e-mails and contact information.
    • Alteration of prices in e-commerse applications followed by the purchase of products or services at a reduced rate.
    • Alteration of data or outright replacement of data in existing databases with information created by the attacker.
    • Escalation of privileges to increase the level of access an attacker has to the system, up to and including full administrative access.
    • Insertion of new information such as a new user with full administrative access.
    • Denial of service, performed by flooding the server with requests designed to overwhelm the system.
    • Data extraction and disclosure of all data on the system.
    • Destruction or corruption of data through overwriting, altering or dropping the database.
    • Eliminating or altering transactions that have been or will be committed.

    Certified Security Geek