SQL injection is a security vulnerability occurring in the database layer of an application. Its source is the incorrect escaping of dynamically-generated strings embedded in SQL statements. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
For example, here is a sample basic HTML form with two inputs, username and password.
Username:
The easiest way for the login.php to work is by building a database query that looks like this:
"SELECT idIf the variables $username and $password are requested directly from the user's input without checking for special characters, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x
FROM logins
WHERE username = '$username'
AND password = '$password'";
"SELECT idBecause the application is not really thinking about the query, but just constructing a string, the use of the single quotes has turned the WHERE into a two-component clause. The 'x'='x' part will be true no matter what the first part contains.
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'";
This could allow the attacker to bypass the login form without actually knowing a valid username / password combination!
For some reported cases of SQL Injection exposure in the wild, see:
- http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580&pageNumber=1
- http://socialscienceplusplus.blogspot.com/2007/08/connectucom-sql-injection-vulnerability.html
- http://msdn2.microsoft.com/en-us/library/ms161953.aspx
- http://www.sitepoint.com/article/sql-injection-attacks-safe
- http://www.codeproject.com/aspnet/SqlInjection.asp
- http://www.acunetix.com/websitesecurity/sql-injection.htm
- http://unixwiz.net/techtips/sql-injection.html
- http://www.spidynamics.com/spilabs/education/whitepapers.html
- http://www.ngssoftware.com/papers.htm
- http://www.nextgenss.com/papers/advanced_sql_injection.pdf
- http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
- http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
- http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
- http://www.imperva.com/application_defense_center/white_papers/sql_injection_signatures_evasion.html
- http://www.sitepoint.com/article/794
- http://www.owasp.org/software/webgoat.html
- http://en.wikipedia.org/wiki/SQL_injection
- http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1161833,00.html
This article originally appeared in my blog: All Things Quality
 | My name is Joe Strazzere and I'm currently a Director of Quality Assurance. I like to lead, to test, and occasionally to write about leading and testing. Find me at http://strazzere.blogspot.com/. |
No comments:
Post a Comment