Download to read offline
![SQL INJECTION:
SQL Injection (SQLi) refers to an injection attack where an attacker can execute malicious
SQL statements to a Web form input box to gain access to resources or make changes to data. SQLi
is dangerous to perform because there may be a chance of database destruction.
The risk of SQL injection exploits is on the rise because of automated tools. In the past, the danger
was somewhat limited because an exploit had to be carried out manually: an attacker had to actually
type their SQL statement into a text box. However, automated SQL injection programs are now
available, and as a result, both the likelihood and the potential damage of an exploit has increased
enormously.
Since SQL statements are text only, it is easy, with a little piece of computer code, to dynamically
change SQL statements to provide the user with selected data:
StoreId = getRequestString("MerchantId");
Query_txt = "SELECT * FROM Stores WHERE MerchantId = " + StoreId;
How SQL Injection works
In order to run malicious SQL queries against a database server, an attacker must first find
an input within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to directly include
user input within an SQL statement. An attacker can then insert a payload that will be included as
part of the SQL query and run against the database server.
The following server-side pseudo-code is used to authenticate users to the web application.
# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']
# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’AND password=’” + passwd +
“’”
# Execute the SQL statement
database.execute(sql)
The above script is vulnerable to SQL Injection because an attacker could submit malicious input in
such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL Injection payload could be something as simple as setting the
password field to password’ OR 1=1.
SELECT id FROM users WHERE username=’username’AND password=’password’ OR 1=1’
This would result in the following SQL query being run against the database server.
The first public discussions of SQL injection started appearing around 1998, SQL injection (SQLI)
is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web
Application Security Project. In 2013, SQLI was rated the number one attack on the OWASP top
ten.](https://image.slidesharecdn.com/sqlinjection-171015092729/85/Sql-injection-1-320.jpg)
Uploaded byAshok Kumar
Sql injection
SQL injection (SQLi) is a type of attack where malicious SQL statements are executed through a web form input to access or alter database resources, posing significant risks including potential database destruction. The rise of automated SQL injection tools has increased both the likelihood of exploitation and the potential for damage, making it one of the top web application vulnerabilities. Key defenses against SQLi include using prepared statements, stored procedures, input validation, and employing the principle of least privilege.
More Related Content
Sql injection
- 1. SQL INJECTION: SQL Injection(SQLi) refers to an injection attack where an attacker can execute malicious SQL statements to a Web form input box to gain access to resources or make changes to data. SQLi is dangerous to perform because there may be a chance of database destruction. The risk of SQL injection exploits is on the rise because of automated tools. In the past, the danger was somewhat limited because an exploit had to be carried out manually: an attacker had to actually type their SQL statement into a text box. However, automated SQL injection programs are now available, and as a result, both the likelihood and the potential damage of an exploit has increased enormously. Since SQL statements are text only, it is easy, with a little piece of computer code, to dynamically change SQL statements to provide the user with selected data: StoreId = getRequestString("MerchantId"); Query_txt = "SELECT * FROM Stores WHERE MerchantId = " + StoreId; How SQL Injection works In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query. In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server. The following server-side pseudo-code is used to authenticate users to the web application. # Define POST variables uname = request.POST['username'] passwd = request.POST['password'] # SQL query vulnerable to SQLi sql = “SELECT id FROM users WHERE username=’” + uname + “’AND password=’” + passwd + “’” # Execute the SQL statement database.execute(sql) The above script is vulnerable to SQL Injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server. A simple example of an SQL Injection payload could be something as simple as setting the password field to password’ OR 1=1. SELECT id FROM users WHERE username=’username’AND password=’password’ OR 1=1’ This would result in the following SQL query being run against the database server. The first public discussions of SQL injection started appearing around 1998, SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project. In 2013, SQLI was rated the number one attack on the OWASP top ten.
- 2. Types of SQLinjection * Tautology-based SQL Injection * Piggy-backed Queries / Statement Injection * Union Query * Illegal/Logically Incorrect Queries * Inference * Stored Procedure Injection Protection in SQL injection Primary Defenses: • Option #1: Use of Prepared Statements (Parameterized Queries) String custname = request.getParameter("customerName"); // This should REALLY be validated // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); • Option #2: Use of Stored Procedures String custname = request.getParameter("customerName"); // This should REALLY be validated try { CallableStatement cs = connection.prepareCall("{call sp_getAccountBalance(?)}"); cs.setString(1, custname); ResultSet results = cs.executeQuery(); // … result set handling } catch (SQLException se) { // … logging and error handling } • Option #3: Escaping all User Supplied Input String query = "SELECT user_id FROM user_data WHERE user_name = '" + req.getParameter("userID") + "' and user_password = '" + req.getParameter("pwd") +"'"; try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); } Additional Defenses: • Also Enforce: Least Privilege • Also Perform: White List Input Validation