SQL Injection Vulnerabilities

SQL Injection Overview

SQL Injection vulnerabilites are quite common and very dangerous. An SQL injection vulnerability can only occur with a software application that fronts a database. Which just happens to be a very common occurance. SQL Injection attacks deal with the same problem of input not being validated. With a bit of understanding of the web application and a sniffer trace, a malicious user could create an SQL statement that was not intended and "trick" the web application to return or perform some other SQL command rather than the intended command.

The first thing that will need to be done is to understand how the web application interfaces with the backend database. Either you will have the design documents to work with or you can use a sniffer utility to determine what is occuring.

See the Tools sniffer applications for more information on types of sniffer applications.

If a site is vulnerable to SQL injection a large number of other problems could occur. This is a simple and easy vulnerability to exploit. All an attacker needs to know is SQL and have some understanding about how the information is passed.

Example of an SQL injection vulnerability

To understand how a SQL injection vulnerability could occur, imagine the following situation. For example say your website has a method to search for users. A usersearch page is created which could include something like the following.

<form method="post" action="searchuser.php">
<input type="text" name="username">
<input type="submit" value="Search" name="search">

This html snippet passes in the username to the dynamic page searchuser.php. The searchuser.php will take the username and add it to an SQL statement. Take for example the following php code snippet.

sqlResult = statement.executeQuery("SELECT * FROM users WHERE username = '" + $username + "';");

Think about this statement and see if you can figure out what is the problem. You might say the $username should be validated before it is added to the SQL statement. That is exactly what should be done. A malicious user could attach additional SQL statements to the username. This could be done by passing is something like.

admin' OR 1=1 --

Think about what the SQL statement would look like.

SELECT * FROM users WHERE username = 'admin' OR 1=1 --';

Notice this will either select the admin account or it will before 1=1 which will result in true. Which in SQL terms this will return the entire users table. Which the users table could contain all sorts of other additional sensitive information. This is just one example of what type of attack could be performed with SQL injection.

How to protect against SQL injection vulnerabilities

SQL injection vulnerabilities can occur anytime there is some type of input provided. They do not need to occur when output is sent. Any input should be validated, checked, and sanitized against a white list before being used.