Targeting Database Driven Web Applications through SQL Injection
Before concentrating on SQL injection, let us see on why database driven web applications are being targeted? We are aware that the word dynamic is having a powerful leverage over the term static. The reason behind this perception is due to consistency and the constant modulation. Not understood? Well, let me simplify a bit. In static websites the content will remain stagnant, whereas in dynamic websites, the content will change every time you visit.
This is possible because, in dynamic websites each web page will be associated with the database, so any changes to these databases the content on the site will alter. One of the best real time examples is online banking, where a user can access his account information which keeps changing. Through analyzing this information we can conclude that dynamic websites are data driven or database driven.
If we think logically, real time applications somewhat represents sensitive data. Sensitive data are always vulnerable to some or the other kinds of malicious attacks. In this section we will study about one such attack which is the SQL injection.
What is SQL injection?
A code injection technique, SQL injection efficiently targets data-driven applications. Attackers perform malicious payloads or inserts malicious SQL statements to gain leverage over server database. Once the action is performed, the data will be vulnerable to all kinds of manipulations. One thing to be noted is SQL injection can be performed only on SQL-based databases.
The Possibilities
SQL injections occur due to various reasons now let us go through each of them in detail.
- Inaccuracy in Filtering data for escape characters–
When the user input is inaccurately filtered for escape characters before being passed to SQL statements, the injection occurs. To prevent this, most of the servers do not support the execution of multiple statements, which actually works, but does not stop the attackers from altering the queries.
statement = “SELECT * FROM users WHERE name = ‘” + userName + “‘;”
The above line of code showcases on how a statement can easily come under threat.
- Improper Type Handling–
If the data supplied by user is not strongly typed or examined for proper type constraints, then the chances of the attack is certain.
statement := “SELECT * FROM userinfo WHERE id =” + a_variable + “;”
In the above line of code, the id is assigned with a string, and the chances are there that an attacker can manipulate the data accordingly.
The best way to avoid data exploitation and combat SQL injection is through the following steps,
- Parameterized Statement/Prepared Statement – Instead of directly using the user input into the statement, a prepared statement is used for the same, which acts as a template. Due to this action, any SQL injection which occurs will considered as an invalid value.
- Stored Procedures– Due to this feature the direct access to the data can be avoided. These stored procedures will be stored in databases and allows an automatic caching of executable codes.
- Escaping User Supplied Inputs– Under this procedure any character which has special meaning should be escaped. This avoids the possibility of being susceptible to injection attacks.
- Patter Check– date, UUID, alphanumeric only, is the standardized representation of strings. Any data which does not comprehend to this pattern is not to be considered.
Even though there are various intrusion detection systems, the possibility of being hacked is still increasing. Business environments always deal with critical information which will be under a constant threat. Hence it is necessary to have a control over the anatomy of SQL, so that any of the future attacks can be easily countered.