Java Reference
In-Depth Information
SELECT * from USERS where user_name='myValue;
Now assume that the user manipulates this query in the following manner. Instead of typing the
value “myValue,” the following is typed: myName' OR 1=1 --
SELECT * from USERS where user_name='myName' OR 1=1';
If the application does not validate database input, it will cause the entire user table to be displayed
to the attacker. he above attack is very simple; the 1=1 condition is a Boolean, which is always
true, so when the condition is as so, where the username, myName or 1=1 (an always TRUE
condition), then the SELECT * from users queries and displays the entire database table.
SQL injection is much more powerful than just the example given above. It can be used to
bypass application logins. Let us explore this with an example:
SELECT * FROM users WHERE username='admin' and password='foo';
Several Web applications contain form-based authentication, where a database is used to store user
information. he aforementioned query traverses the entire users table until it inds the username,
'admin' and the password 'foo'. When the application inds the said information, it authenticates
the user into the system and creates a new session for the user. Now, let us explore how this login
process can be bypassed with a SQL injection attack. If the attacker knows the username, but not
the password, this attack is particularly useful:
admin'--
The query now is constructed as follows:
SELECT * FROM users WHERE username= 'admin'--' AND password= 'foo';
This query essentially means the following:
SELECT * FROM users where username= 'admin'
he comment symbol constructs the SQL query into one where only the username is required to
authenticate the attacker into the application.
SQL injection attacks have now morphed into sophisticated malware, where the attacker can
enter arbitrary SQL queries into an input ield and actually be able to take over the database server,
thereby exploiting bufer overlow vulnerabilities or command execution vulnerabilities inher-
ent in the database platform and version. hese SQL injection worms can actually result in the
attacker gaining complete control over the server. In fact, SQL injection malware was the primary
cause of the security breach at Heartland Payment Systems in late 2008, which has earned the title
of being one of the largest data breaches of all time.
*
5.4.2.3 Malicious File Execution
Malicious ile execution is not as pervasive a Web application vulnerability as cross-site scripting
and SQL injection, but its efect could even be several times deadlier than XSS or SQL injection.
his Web application vulnerability has to do with how the Web application handles stream- or
ile-based input. Some Web applications directly trust the ile- or stream-based inputs entered by
*
Details on the Heartland Payment Systems breach: http://voices.washingtonpost.com/securityix/2009/01/pay-
ment_processor_breach_may_b.html
Search WWH ::
Custom Search