Sql Injection
Application security is always a challange for the application developer. As some of anonymous users who try to break your application for his fun. Sometimes loopholes in your application can be more dangerous for you and your application users. Sql Injection is one of the vulnerability.
According to OWASP( Open Web Application Security Project) it is the top most volunerability for the application. OWASP is an online community dedicated to web application security. The Sql Injection attacks are very common.
The attacker can inject the sql query or part of a sql query using the application form like textbox, textarea etc. If attacker succeed to inject the sql query, he would be able to
- Read sensitive data from the database, can modify data (insert/update/delete),
- He could execute administration operations on the database (such as shutdown the DBMS),
- He could recover the content of a given file existing on the DBMS file system or write files into the file system, and,
- In some cases, issue commands to the operating system.
How the attacker do Sql Injection :
To attack an application attacker first check how the application is handling the user input. SQL Injection attacks are take place when developers creates dynamic database queries with user supplied input. To avoid SQL injection attack is simple. Application developers need to either:
- stop writing dynamic queries; and/or
- prevent user supplied input which contains malicious SQL from affecting the logic of the executed query.
For example :
Example 1 : In this example i will show you how attacker can get all your data from the database using sql injection.
String query = select username, password from login where username='+request.getParameter("username")+';
The above example is unsafe and cause the sql injection. The attacker can pass the username form the textbox like :
'john' or '1'='1
the above input will create query like :
String query = select username, password from login where username='john' or '1'='1'
which will always run and retrieve all your data from the login table. This is just a small case, It could be disaster if it is related to your bank account or any sensitive information.
Example 2 : In this example I will show you how user can update your information in table using Sql injection.
Lets take the same query above suppose user has passed the input like
Y';UPDATE table login
SET username = 'hacker'
WHERE username = 'sam';
Now the query will be like
select username, password from login where username='Y';UPDATE table login
SET username = 'hacker' WHERE username = 'sam';
See one query is wrong but another query could be run simultaneously and can update the data on the table.
Primary Defenses for Sql Injection:
- Sensitize the data before append to sql query.
- Always use of Prepared Statements (Parameterized Queries)
- Use of Stored Procedures
- Escaping all user supplied input
All this disscussion is very imporant from the developers point of view, because one loophole can crash your application and put you on danger. There are solutions to get rid of those volunerabilites. OWASP provides an API called ESAPI which has solution for almost all kind of volunerabilities or attacks. Google has provides the code repository for the ESAPI which is helpful to understanding the safe code.
0 Comment(s)