Thursday, September 19, 2013

How does your Website becomes vulnerable to SQL Injection?

Developer is the one and only reason for the SQL Injection Vulnerability. While developing the Web Application, he fails to handle some vulnerability(because he doesn't know about it. Don't be one of them. If you are Web Application developer, then you must read these security techniquest in order to overcome the SQL Injection Vulnerability.

Reason 1:Incorrectly filtered escape characters
In this case, the developer fails to filter the input for escape characters and He directly pass the input to SQL statement. This results in vulnerability.

Consider this code:
statement = "SELECT * FROM `users` WHERE `name` = '" + userName + "';"

This code will check the username in datbase. An attacker can use malicious codes to inject his own query. for eg:

' or 1=1
he can enter the above code instead of the username. So the SQL statement will become like this:
SELECT * FROM `users` WHERE `name` = '' OR 1=1;

He can use the comments to block the rest of the query .
for eg:
' or 1=1 --
so the query will become like this:
SELECT * FROM `users` WHERE `name` = '' OR 1=1 -- ;

Here name=' ' is false. But '1'='1' is true. Here we used OR operator. So it is enough to one condition is true. So this will query bypass the login.

Reason 2:Incorrect Type Handling
When the developer fails to check for the data type of input, it will raise the Vulnerability of Database.

Let us consider this query.
Statement=”Select * from `userid` where `id`=”+inputId+”;” ;
Here Id refers a number data. But the inputId is given directly without checking for the type. So attacker can enter any type of data, he can enter a string.

For example if he input as 
1; drop table `userid`;
The query will become as 
Select * from `userid` where `id`=1; drop table `userid`;

Reason 3: Blind SQL Injection(Condtion Response)

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. 
The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page.

This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established

Conditional responses
SELECT `booktitle` FROM `booklist` WHERE `bookId` = 'OOk14cd' AND '1'='1';
will result in a normal page while
SELECT `booktitle` FROM `booklist` WHERE `bookId` = 'OOk14cd' AND '1'='2';
will likely give a different result if the page is vulnerable to a SQL injection
Using this , an attacker can find the column and full datbase details.

No comments:

Post a Comment

Follow Me