Monday, January 07, 2008

SQL injection

SQL injection is a method where a attacker is inserting new statements into existing statements. Instead of inserting values as they are expected by the application they will try to create a escape out of the standard code and insert there own code in a way that it will be executed. Even do this is a very old technique it turns out that still thousands and thousands of web applications are vulnerable to SQL injection.

In basis it can be said that a SQL injection possibility is due to bad coding. When SQL injection was quite new it could be very hard in some cases to close a possible SQL injection vulnerability. At this moment there are so many standard ways of making sure that a client will send you what you expect him to send and make sure he is not able to "break out" of a web application that this is no longer a excuse.

Even do it is quite standard to test your application on this, and other, possible security vulnerabilities it is handy to have some documentation ready and read them so you can even gain a better understanding of this technique and how to prevent it from happening.

Before cleaning them up from my desk I like to share some of documents I will be shredding and which I found quite good in getting the basic understanding of SQL injection. The best way however is trying to hack into (your own) web-applications. Trying to find the possibilities, the loopholes and the way to close them.

A good read is:

Advanced SQL Injection in SQL Server Applications:
"This document discusses in detail the common 'SQL injection' technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be 'injected' into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack. The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications."

An Introduction to SQL Injection Attacks for Oracle Developers:
"Most application developers underestimate the risk of SQL injections attacks against applications that use Oracle as the back-end database. Our audits of custom web applications show many application developers do not fully understand the risk of SQL injection attacks and simple techniques used to prevent such attacks. This paper is intended for application developers, database administrators, and application auditors tohighlight the risk of SQL injection attacks and demonstrate why web applications may be vulnerable. It is not intended to be a tutorial on executing SQL attacks and does not provide instructions on executing these attacks."

SQL Injection:
"SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries, but without first stripping potentially harmful characters. Despite being remarkably simple to protect against, there is an astonishing number of production systems connected to the Internet that are vulnerable to this type of attack. The objective of this paper is to focus the professional security community on the techniques that can be used to take advantage of a web application that is vulnerable to SQL injection, and to make clear the correct mechanisms that should be put in place to protect against SQL injection and input validation problems in general."

No comments: