Week 8

A SQL injection attack consists of embedding or inserting malicious SQL script from client to the server application. The most common case is that of input fields where the hacker may insert SQL script in a for example username or password text box. If proper controls and precautions are taken the SQL script will make it to the server application and execute the script against the database. There are a number of consequences associated to a successful SQL injection attack. Some of these are listed below:

  • Read/Insert/Modify/Delete the data from the database. This basically means it can perform the CRUD operation against any database table.
  • Execute administration scripts against the database. For example in SQL Server a hacker might execute such as DROP, ALTER, DETACH databases or even shut down the SQL Server by executing the SHUTDOWN command.
  • Steal sensitive information or get access to confidential information by bypassing the login screen.
  • In some cases it may also be able to execute commands to the Operating System.

SQL Injection attack according to many published resources ranks consistently in the top 10 most common vulnerabilities. Veracode in it’s “10 Scariest Vulnerabilities”  ranks it at number 9. SQL injection is fairly easy to execute and it’s complexity really depends on the creative thinking of the hacker. It is most common in web applications, however in recent years .NET and Java applications has taken a number of steps to minimize the threat posed by SQL Injection.

Let’s take a simple example of how SQL Injection is executed. Let’s consider a web application needs to display the user profile of a specific user. The user is identified by a unique id which is passed through a Query string to the server. In a nutshell the code may looks as follows:

int userId = Request.QueryString[“UserId”];

string sql = “SELECT * FROM USERS WHERE UserId = ” + userId”;

The first statement grabs the user id from the URL and passes it to the SQL Server to get the information of the specified user id. If all goes well this will return the information of only the user requested by the user id. Let’s see how this can be changed to insert SQL Injection. The hacker instead of passing for example user id “100” in the URL may pass something like below:

“100 OR 1 = 1”

The “1 = 1” statement when executed in SQL Server will always result in a true statement. This would mean that return me the user with user id “100” and everything else from table. The final SQL script will look as follows:

string sql = “SELECT * FROM USERS WHERE UserId = 100 OR 1=1;

This will allow the hacker to get information about all the users in the system causing a major vulnerability to be exposed.