adam's notes

SQL Injection

SQL injection is an attack that injects a database query into the input data directed at a server by accessing the client side of the application.

  • to identify SQL injection in a web app,
    • attacker must test every single input to include elements such as
      • URL parameters
      • form fields
      • cookies
      • POST data
      • HTTP headers
    • common way to identify:
      • submit a single apostrophe '
      • if returns an error message, input is not being tested and is likely vulnerable
  • can carry out attack using:
    • SQL wildcard character % to look for a large amount of data sets
    • or may submit math expression equivalent to the expected value to expose some vulnerability
  • ; separates commands in SQL
  • -- is a comment in SQL

Example

organization’s public-facing web app uses simple HTML forms to prompt for a username and password to access the app

  • web app accesses a SQL database of credentials to validate the username and password input
  • with user Bob and password of Pa$$w0rd, then the following is what a typical SQL query would look like:
    • SELECT * FROM tbl_user WHERE username = 'Bob' AND password = 'Pa$$w0rd'
  • Notice there is now an odd number of apostrophe characters
    • would result in an error being returned by the database server
    • attacker now knows that they need to complete the SQL statement with a syntactically correct query
  • attacker uses a value that is always true, such as 1=1
    • then uses the built-in capability to insert inline comments within the query by inputting the -- characters
      • denote comments
  • SQL injection exploit string 'or 1=1-- would look like when the attacker inserts it into the username form field:
    • SELECT * FROM tbl_user WHERE username = '' or 1=1--' AND password = 'Pa$$w0rd'
    • SQL syntax is correct, and database will not return an error
    • database will return every single one of its lines

Protecting Against SQL Injection

  • Input Validation
    • protects against unsafe user input by checking it on the server before executing commands
  • Parameterized SQL
    • Precompiles SQL code on the database server to prevent user input from altering query structure

Graph View

Backlinks