Practical Web Application Security Testing - Secure Java: For Web Application Development

Java Reference

In-Depth Information

Figure 12.14

Use of the IFRAMe HtML tag as an XSS vector.

12.2.3.2 Testing for SQL Injection Vulnerabilities

SQL injection has the infamy of being the most devastating attack against Web applications.

SQL injection has also been discussed in Chapters 5 and 10. In an SQL injection attack,

the attacker injects or inputs an SQL query into the application's input ield(s) and is able to

extract sensitive information from the database, as a result of the crafted query to the database.

Databases are the storehouses of information that is accessed by Web applications for their

CRUD operations. SQL injection relies on the Web application's incorrect parsing of SQL

commands in a way that user input is parsed as an SQL command by the application to give

rise to SQL injection.

he irst test that a tester can run is by entering a (') or (;) in the input ield along with the input.

he (') is used as a string terminator and the (;) is used to indicate the end of an SQL statement. If

the application does not ilter the following characters, then the application would throw an error

or an exception. his error essentially indicates that the application is unable to create the SQL due

to the presence of a character that is part of a dynamically generated SQL statement. Vulnerable

application error pages throw detailed error messages where the SQL exception is highlighted along

with the full stack trace and the line at which the exception condition occurred.

SQL injection has also been used to bypass authentication mechanisms. For instance, a Java

application generates an SQL statement to verify the user entered username and password against

the database of usernames and passwords. A vulnerable SQL statement might look something like

this:

'SELECT * FROM USERS where username = '' + request.

getParameter(“username”) + '' AND password = ' + request.

getParameter(“password”) + '

Such statements are vulnerable to SQL injection as they dynamically generate SQL queries from

user input with little or no iltering of user input. he tester can test the authentication mechanism

by entering the following user input in the username and password input ields:

1' OR '1'=1

he query that will be dynamically generated is as follows:

Search WWH ::

Custom Search

Home