SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database.
SQL injection can occur when an application uses input to construct dynamic SQL statements. Successful SQL injection attacks enable malicious users to execute commands in an application's database.
Many web applications take user input from a form. Often this user input is used literally in the construction of a SQL query submitted to a database. A SQL injection attack involves placing SQL statements in the user input.
Almost all existing databases are subject to SQL injection attacks to varying degrees.
Take an asp page that will link you to another page with the following URL: http://sqlinject/index.asp?customer=Talentica
In the URL, 'customer' is the variable name, and ‘Talentica' is the value assigned to the variable. In order to do that, an ASP might contain the following code
v_cat = request("customer") sqlstr="SELECT * FROM Customer_Master WHERE Customer='" & v_cat & "'" set rs=conn.execute(sqlstr)
thus the SQL statement should become: SELECT * FROM Customer_Master WHERE Customer = ‘Talentica'
Now, assume that we change the URL into something like this: http://sqlinject/index.asp?customer=Talentica or 1=1-- Now, our variable v_cat equals to " Talentica ' or 1=1-- ", if we substitute this in the SQL query, we will have: SELECT * FROM Customer_Master WHERE Customer = ‘Talentica’ or 1=1--'
Take the following page for another example: http://sqlinject/index.asp?id=10
We will try to UNION the integer '10' with another string from the database: http:// sqlinject/index.asp ?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25USER%25'--
SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=‘USERS' AND COLUMN_NAME LIKE ‘%USER%’
Dynamic websites suffer from a threat that static websites don't, called "Cross Site Scripting"
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user.
e.g. an attack on your database and update up to 5000 rows in every table and replace your strings in your database with random XSS attacks.
Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible.
To prevent cross-site scripting:
Check that ASP.NET request validation is enabled.
Review ASP.NET code that generates HTML output.
Determine whether HTML output includes input parameters.
Review potentially dangerous HTML tags and attributes.