SQL Injection

From Guidance Share

Jump to: navigation, search

Contents

Description

SQL injection attacks are another instantiation of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

Applies To

  • Language: Any that can interact with a SQL database
  • Platform: Any (requires interaction with an SQL database)

Example

In SQL:

select id, firstname, lastname from writers

If one provided:

Firstname: evil’ex
Lastname: Newman

the query string becomes:

select id, firstname, lastname from authors where forname = ‘evil’ex’ and surname =’newman’

which the database attempts to run as

Incorrect syntax near al’ as the database tried to execute evil. 

The above SQL statement could be Coded in Java as:

String firstName = requests.getParameters(“firstName”);
String lasttName = requests.getParameters(“firstName”);
PreparedStatement writersAdd = conn.prepareStatement(“SELECT id FROM writers WHERE firstname=firstName”); 

In which some of the same problems exist.

Impact

  • Confidentiality: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities.
  • Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.
  • Authorization: If authorization information is held in an SQL database, it may be possible to change this information through the successful exploitation of an SQL injection vulnerability.
  • Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with an SQL injection attack.

Vulnerabilities

  • Failure to validate user input for SQL commands when input is used to drive the creation of a SQL statement.

Countermeasures

  • Requirements specification: A non-SQL style database which is not subject to this flaw may be chosen.
  • Implementation: Use vigorous white-list style checking on any user input that may be used in an SQL command. Rather than escape meta-characters, it is safest to avoid adding them to your white-list. Later use of data that has been entered in the database may neglect to escape meta-characters before use.

Vulnerability Patterns

How Tos

Personal tools