In previous article “INJECTION ATTACKS TUTORIAL – OWASP #1 VULNERABILTY – PART 1“, we have learned about Injection attack basics and type of Injection attacks. Today we will learn about SQL Injection basics. As we have learned in previous article that Injection means adding something extra into code which changes the actual behavior of the code or Query. Similarly SQL Injection means adding something extra into SQL query which result into deviation of SQL from actual behavior. What is SQL Injection?
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. SQL Injections operate by injecting data into a web application which is then used in SQL queries. The data usually comes from untrusted input such as a web form. However, it’s also possible that the data comes from another source including the database itself. Programmers will often trust data from their own database believing it to be completely safe without realizing that being safe for one particular usage does not mean it is safe for all other subsequent usages. Data from a database should be treated as untrusted unless proven otherwise, e.g. through validation processes.If successful, an SQL Injection can manipulate the SQL query being targeted to perform a database operation not intended by the programmer.
How SQL Injection happens?
Normally what happens in web applications, Coders embed their SQL queries into web pages in order to submit and retrieve data to/from databases, which is a normal practice in corporate world. When visitors visit these web applications or websites which contains embedded SQL queries, these SQL queries are parsed into HTML formatting i.e. invisible to regular user. So a regular user cannot view what SQL is embedded into web application or web page. Now what Hackers do which normal regular user doesn’t? Hackers inspect’s the web page to check how particular value is being retrieved, how particular search form or text box field(can be login box or any input) is validated and much more. During this inspect, if Hacker encounters some type of error message or abend, then this confirms web application is vulnerable to Injection flaws. But how exactly hacker validates these things? For checking SQL injection its not a rocket science, they just tests values lies in Special Character Set, Escape Sequence Set and last but not the least Encoded value of previous two.
SQL injection occurs when any of below things happen:
1. Data enters a program from an untrusted source.
2. SQL Injection can attack those SQL queries which are dynamically created by using some inputs from either program or user or some functionality.
3. SQL Injection can also occur if escape sequences and types are not handled properly in the SQL query.
Consider the following example :
$db = new mysqli(‘localhost’, ‘username’, ‘password’, ‘mydatabase’);
$result = $db->query(
‘SELECT * FROM transactions WHERE user_id = ‘ . $_POST[‘user_id’]
);
Above query has plenty of Injection flaws associated with it. Things which are wrong in it :
1. First of all contents of POST are not validated to ensure that its a valid User ID.
2. We are allowing an untrusted source to tell us which user_id to use – an attacker could set any valid user_id they wanted to. Most developers believe that just using the POST to hide user_id will work. But they are wrong because hacker can submit anything into the forms.
3. We have not escaped the user_id or passed it to the query as a bound parameter which also allows the attacker to inject arbitrary strings that can manipulate the SQL query given we failed to validate it in the first place.
The above three issues are quite a bit common among all web applications. We will discuss each one of them in detail in later articles.
That’s it for today, we will learn SQL injection and its reasons how does SQL injection occurs and how to fix SQL Injection in later articles. So keep connected.
0 comments:
Post a Comment