SQL Injection Attack and Defense by: Sagar Joshi, 09/23/2005
Web application and SQL Injection
Today many business houses and governments and society in general depends a great deal on web applications. All these web applications are accessed using Internet and so face risks associated with usage of Internet. Risks associated with usage of Internet are evident with the increasing number of reported incidents on the Internet security sites. Thus all our important information assets are at risk with increased tendency of attackers to break into the computer systems.
Security of information assets manifests in usage of various types of hardware as well as software products, network topologies and configurations, and secured applications. Now it has accepted that custom web applications that are insecurely coded pose the greatest risk to the sensitive data.
With improved performance of database server s most of the web applications use RDBMS (Relational Database Management Systems). And the web applications allow its valid users to either store/edit/view the data stored in RDBMS through the interface coded by the application programmers. Traditionally programmers have been trained in terms of writing code to implement the intended functionality but they are not aware of the security aspects in many ways. Thus now we have insecure interface to the most valuable data stored in RDBMS because of the vulnerability in the web application called SQL Injection . Attackers use exposure due to SQL injection vulnerability to interact
with RDBMS servers in SQL (Structured Query Language). In other words it means that attackers are able to send SQL statements to RDBMS, which it executes and returns the results back to the attacker. The risk of such attacks on commercial application increases if the web application is delivered along with the source code or if it is an open-source application. Since the attacker can find potential vulnerable statements before they launch the attack.
This paper focuses on educating the security professionals with the risks associated with this situation and tries to give brief understanding of various kinds of attacks that attacker may launch and outline of various strategies that can be evaluated and adopted to protect the valuable information assets.
1.1 What is SQL injection
Normally web applications provide interface to the user to input the information. These
user inputs are further used for many purposes one of which is to query the databases. The user input as part of SQL statements gets executed on the RDBMS. SQL injection is trying to input such data through the web application s user interface that would give malicious user the sensitive information, edit/modify the protected data or crash the entire system etc. In the worst-case scenarios the malicious user is able to even penetrate further into the network by compromising the security of the database host machine.