IntroductionMany people say they know what SQL injection is, but all they have heard about or
experienced are trivial examples. SQL injection is one of the most devastating vulnerabilities
to impact a business, as it can lead to exposure of all of the sensitive information stored in
an application’s database, including handy information such as usernames, passwords,
names, addresses, phone numbers, and credit card details.
So, what exactly is SQL injection? It is the vulnerability that results when you give an
attacker the ability to influence the Structured Query Language (SQL) queries that an
application passes to a back-end database. By being able to influence what is passed to the
database, the attacker can leverage the syntax and capabilities of SQL itself, as well as the
power and flexibility of supporting database functionality and operating system functionality
available to the database. SQL injection is not a vulnerability that exclusively affects Web
applications; any code that accepts input from an untrusted source and then uses that input
to form dynamic SQL statements could be vulnerable (e.g., “fat client” applications in a
client/server architecture).
SQL injection has probably existed since SQL databases were first connected to Web
applications. However, Rain Forest Puppy is widely credited with its discovery—or at least
for bringing it to the public’s attention. On Christmas Day 1998, Rain Forest Puppy wrote
an article titled “NT Web Technology Vulnerabilities” for Phrack (www.phrack.com/issues.
html?issue=54&id=8#article), an e-zine written by and for hackers. Rain Forest Puppy
also released an advisory on SQL injection (“How I hacked PacketStorm,” located at www.
wiretrip.net/rfp/txt/rfp2k01.txt) in early 2000 that detailed how SQL injection was used to
compromise a popular Web site. Since then, many researchers have developed and refined
techniques for exploiting SQL injection. However, to this day many developers and security
professionals still do not understand it well.
In this chapter, we will look at the causes of SQL injection. We will start with an overview
of how Web applications are commonly structured to provide some context for understanding
how SQL injection occurs. We will then look at what causes SQL injection in an application
at the code level, and what development practices and behaviors lead us to this.
0 comments:
Post a Comment