As of my last article on XSS, the OWASP organization has released a new Top 10 for 2010 and has placed injection attacks in the number 1 spot. Now that XSS and SQL injection flaws have flipped spots, I will continue the article series using the new Top 10 list. You can find the new OWASP Top 10 Release Candidate list here. To begin, SQL injections are a class of injection flaws that use a technique that exploits a security vulnerability in database applications by accepting untrusted data as part of a command or query. The attacker targets the application instead of the server or running services. This vulnerability generally occurs because the database application does not filter user input.
What is SQL Injection? SQL injection can be further defined as an attack that inputs SQL queries and commands via web pages. There are many web pages that receive input parameters from a user and based on that input it generates SQL queries directly to a database. For example, when visiting a web site that requires a login and password that web site will send a SQL query to a database to check if the user has a valid account. Using SQL injections you can send a crafted username and password field that will ultimately modify the SQL query that is sent to the database. This modified SQL query can grant you access to the web site or even the database.
SQL Injection Attacks Examples A simply database query like: select * from clients;” is safe from SQL injection. However a query like “select * from clients where clientID = ‘clientid’;” is at risk from SQL injections. This is because the clientID variable can be modified on the client side. A user could simply save the web page, edit the code and then run it against the web application. For example, an attacker is on a web page that requires a login and password and the database is running Microsoft SQL Server. The attacker decides to type in the following command in the login box: a’ exec master.dbo.xp_cmdshell ‘rundll32.exe user32.dll,LockWorkStation’ All depending on how unsecure the server and web application is, this command would cause SQL Server to lock the computer. The following command would turn off IIS, thereby making the site unavailable to anyone: a’ exec master.dbo.xp_cmdshell ‘iisreset/Stop’ Most attackers would not want to disrupt services but gain more information about the data that is stored in the database. If a web application is badly designed it would even be possible to steal credit card information from an online store.
How to Prevent SQL Injections The best way to prevent SQL injection attacks is to develop a secure web application. You can do this by using a safe API that provides a parametrized interface. Additionally, filtering out characters like single quotes, double quotes, backslash, slash, semi colon, new line and extended characters like NULL from user input, parameters from a URL or any values from a cookie. If you have numeric values always convert the variable to an integer before using it in a SQL statement. On the server side you should change the security settings and make sure that the database is running under a lower privileged user account instead of an administrator account. Without proper safeguards, web applications are very vulnerable to different types of attacks. One of the most common types of attacks involving database applications is SQL injections. By using this method a hacker can input commands to the application with the hopes of gaining unauthorized access to the database. However by following the suggestions above SQL injection attacks can be prevented.