Common factors that make application vulnerable to SQL injection attacks are:
- Lack of proper input validations and trusting user supplied data
- Building dynamic SQL queries based on user supplied data
- Application design issues like using URL parameters/hidden fields for backend operations or building dynamic SQL queries
- Running application code/services with database admin/high privileged accounts
Example Attack Scenario
The application uses untrusted data in the construction of the following vulnerable SQL call:
String query = “SELECT * FROM accounts WHERE accountID=’” + request["id"] +”‘”;
The attacker modifies the ‘id’ parameter in their browser to send: ‘ or ’1'=’1 as URL parameter (example.com/app/accountView?id=’ or ’1'=’1);
This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s data.
Please note that just using stored procedures instead of dynamic SQL queries in application code does not fully prevent SQL Injection. If you use Stored Procedure parameters to execute directly at the backend that would also expose same vulnerability.
e.g. exec sp_executesql @user_supplied_param
Many times attacker may not be successful in retrieving sensitive data by exploiting such vulnerabilities but he may still cause major damage by using SQL commands like DROP TABLE or mass change in sensitive data using DELETE or UPDATE statements.