Generally all companies using some type of data base behind there applications. SQL (Structured Query Language) Injection can be used to penetrated the database. Now a days SQL injection is a most popular way to attack the web site. SQL is a common and popular databases for all the users. Which allows the user's to storage,manipulation, and retrieval of data.
Defense Against SQL Injection:-
Mostly websites are publically and any visitor can access to the data base after permission by firewalls.
We can not block SQL injection attack by using anti-virus programs as Anti-virus programs can only handle entirely some other type of incoming data.
We can try for defense against SQL injection,by using two ways:-
1-There should be a routine bases updating and patching of servers, giving services and using applications.
2-We should try to write such type of code which can disallows unexpected or unauthorized SQL commands.
By using above mention two defenses method we can save our application by the attack of SQL injection.
For Example:-
SELECT
FROM TBLUSER
WHERE TBL_USER='Name' AND TBL_PWD='PWD'
If user enter
TBL_USER=1
TBL_PWD=1
If we pass the values by using HTTP GET method on the sever, one can notice that system will authenticate the user without knowing the name and password because query return condition true value (OR 1=1).
There are few SQL injection tools for penetration testing mention as below :-
- BSQL Hacker
- The Mole
- Pangolin
- SQLmap
- Havij
- Enema SQLi
- SQLninja
- sqlsus
- Safe3 SQL Injector
- SQL Poizon
0 Comment(s)