Hacking: The Unlocking of Transparency by Pratap Singh Ashutosh

Author:Pratap Singh, Ashutosh [Pratap Singh, Ashutosh]
Language: eng
Format: epub
Publisher: Technical Sapien
Published: 2020-06-22T16:00:00+00:00

Chapter 15

SQL Injection

Almost every web application employs a database to store the various kinds of information that it needs in order to operate. For example, a web application deployed by an online retailer might use a database to store the following information: User accounts, credentials, personal information, Descriptions and prices of goods for sale, Orders, account statements, and payment details, the privileges of each user within the application.

The means of accessing information within the database is Structured Query Language, or SQL. SQL can be used to read, update, add, and delete information held within the database.

SQL is an interpreted language, and web applications commonly construct SQL statements that incorporate user-supplied data. If this is done in an unsafe way, then the application may be vulnerable to SQL injection. This flaw is one of the most notorious vulnerabilities to have afflicted web applications. In the most serious cases, SQL injection can enable an anonymous attacker to read and modify all data stored within the database, and even take full control of the server on which the database is running.

An attacker may be able to manipulate your web application into altering the commands submitted to its subsystems, by simply sending malformed requests with tainted payloads or simply say SQL Injection, wherein a user of your website can cause your app to change this:

select * from users where username=’AviD’ and password=’1234’

into this:

select * from users where username=’Admin’

This allows the attacker to login to your application as an administrator, without even knowing the password. Other uses of this attack would be to steal secrets (or money), change data, or even erase all traces of activity.

Other forms of injection includes LDAP Injection, XPath Injection, Command Injection, SMTP Injection – any time the application concatenates untrusted user input into a command that is passed to an interpreter. The abnormal data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

How to be secure from such injections?

Validate all untrusted input with a white-list approach, regardless of source.

Always access the database with parameterized queries and stored procedures only, instead of concatenating a string query.

Even better, use a proper ORM (Object Relational Mapping) library (such as Hibernate, Entity Framework, ActiveRecord to name a few, depending on your platform).

Limit the potential damage of a successful exploit by reducing the application’s database privileges

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.