Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

SQL Injection Attack - Introduction and Mitigation Steps

Published on: 8/17/2014
Topic: Web Application Security
The SQL Injection is used by malicious users to attack your application surface in legitimate manner to exploit weakness in the coding pattern especially how the application interact with the Database. The purpose of attack could be to get unauthorized access to sensitive data especially for other users and accounts. In some cases if such vulnerability exists then using attacks like Command Injections, the attacker may take complete control of server side environment.


Table of Contents

Overview

Common factors that make application vulnerable to SQL injection attacks are:

- Lack of proper input validations and trusting user supplied data

- Building dynamic SQL queries based on user supplied data

- Application design issues like using URL parameters/hidden fields for backend operations or building dynamic SQL queries

- Running application code/services with database admin/high privileged accounts


Example Attack Scenario

The application uses untrusted data in the construction of the following vulnerable SQL call:

String query = “SELECT * FROM accounts WHERE accountID=’” + request["id"] +”‘”;

The attacker modifies the ‘id’ parameter in their browser to send: ‘ or ’1'=’1 as URL parameter (example.com/app/accountView?id=’ or ’1'=’1);
This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s data.

Please note that just using stored procedures instead of dynamic SQL queries in application code does not fully prevent SQL Injection. If you use Stored Procedure parameters to execute directly at the backend that would also expose same vulnerability.

e.g. exec sp_executesql @user_supplied_param

Many times attacker may not be successful in retrieving sensitive data by exploiting such vulnerabilities but he may still cause major damage by using SQL commands like DROP TABLE or mass change in sensitive data using DELETE or UPDATE statements.


Continue Reading: Identify & Prevent SQL Injection Vulnerabilities