SQL Injection - An illustration
Using SQL injection is one of the most common means of exploiting the security loop holes in any web application. In the article that follows, you can see how easily one can take advantage of this to gain unauthorized access of data that she was not supposed to. Lets us see how but with a brief of background...
Purpose of using SQL:
SQL statements are generally used to retrieve, update and delete data against a web application’s database. This is normally done behind the scenes and the results are displayed to a user based on their authority level. This means that the data is protected and access is granted on a selective basis.
How Security issue is relevant here:
Many web applications provide some form of search capabilities where users can provide their own filtering on the data the application might display. For example, a filter to see only the records posted in 2009. If the application is not secure, a hacker can potentially exploit this functionality. Rather than supplying a value to filter upon, he might provide another SQL statement that is then injected in to the SQL statement that the application uses to retrieve data.
Attack Example – Let’s assume a user only has access to the records of his department and to filter through the records, he enters some criteria. He wants to see the latest records, so he enters 2009 in the year range to filter records as per the criteria specified.
The application might attempt to execute the following statement against the database: SELECT * FROM … WHERE … AND Year = 2009
A hacker on the other hand, might try to trick the application and enter the following into that same year range field: 2009 OR 1=1
The application, if not careful, might then execute the following statement against the database: SELECT * FROM … WHERE … AND Year = 2009 OR 1=1
This would potentially provide the user with access to all the records in the system, even the ones to which they shouldn’t... :( :(
Attack Example – Let’s assume a user only has access to the records of his department and to filter through the records, he enters some criteria. He wants to see the latest records, so he enters 2009 in the year range to filter records as per the criteria specified.
The application might attempt to execute the following statement against the database: SELECT * FROM … WHERE … AND Year = 2009
A hacker on the other hand, might try to trick the application and enter the following into that same year range field: 2009 OR 1=1
The application, if not careful, might then execute the following statement against the database: SELECT * FROM … WHERE … AND Year = 2009 OR 1=1
This would potentially provide the user with access to all the records in the system, even the ones to which they shouldn’t... :( :(
Incredibly simple...!! Isn't it...!!
No comments:
Post a Comment