SQL Injection



Description

SQL injection is a type of vulnerabilities in database access code that allows attackers to execute unauthorized queries on the database. SQL Injection vulnerabilities are caused by concatenating data into SQL query syntax. A vulnerable application allows the attacker to inject malicious data into SQL queries granting the ability to execute arbitrary queries. The specific code and configuration determine the exact impact of the vulnerability by imposing some restrictions on how the attacker is able to manipulate the query while keeping it syntactically valid. SQL injection applies to all applications that query SQL databases.

Impact

SQL injection allows the attacker to access any data in the database. The attacker will usually use this to extract any sensitive data from the database. If there are any passwords in the database, the attacker is likely to try to use them to login as the administrator and take over the application or the server. Some database servers allow so-called "stacked queries". "Stacked queries" allow executing multiple queries separated by a semi-colon from one string. If "stacked queries" are enabled, SQL injection allows the attacker to execute any queries on the database server. This usually allows the attacker to take full control of the application. Many database servers also allow executing arbitrary operating system commands. The attacker might abuse that functionality with SQL injection to take full control of the application or the server.

Countermeasures

To prevent this problem, validate all input and use parameterized APIs for database access.

Validate all input:

Use parameterized APIs for database access:

Application Check

To check for adequate protection against this vulnerability, find all queries generated by the application and verify that all input is validated, and that parameterized APIs are used for database access.

All input is validated:

Parameterized APIs are used for database access:

Computer Based Training Links

Use the following Computer Based Training course(s) for more background information about this type of vulnerabilities.

OWASP Top Threats & Mitigations

This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.

DES 221 OWASP Top Threats & Mitigations

Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact support@securityinnovation.com for help.

!Have a comment about this article? Send our team an email.