What is a SQL Injection Attack?
By Michael Linn
Users of computer systems and visitors to websites are familiar with authenticating their
identity, or proving, "they are who they say they are," by entering their Username and Password.
What actually happens when you enter text into the Username and Password fields of a
login screen is that the text is usually inserted or encapsulated into a SQL command. This
command checks the data you've entered against the information stored in the database, such
as user names and their respective passwords. If your input matches what is stored in the database
then you are granted access to the system. If not, you get an error message and a chance to
re-enter the correct information or you are refused entirely.
Databases are at the core of a modern organization's computer systems because they allow
you to control your business processes. They store data needed to deliver specific content
to visitors, customers, suppliers, and employees. User credentials, financials, payment information,
and company statistics may all reside within a database that can be accessed by legitimate
users and unfortunately attackers as well. SQL or Structured Query Language is the computer
language that allows you to store, manipulate, and retrieve data stored in the database
SQL injection is the exploitation of a website or computer system that is caused by the
processing of invalid data that is entered into the form fields by a malicious user. SQL injection
can be used by an attacker to introduce (or "inject") code into a computer program to change
the course of execution in order to access and manipulate the database behind the site, system or application.
SQL Injection vulnerabilities arise because the fields available for user input allow
SQL statements to pass through to the database directly in order to process data and user requests.
If the input is not filtered properly, web applications may allow SQL commands that enable
hackers to view unauthorized information from the database or even wipe it out.
The attack takes advantage of improper coding of web-based applications and computer
networks that incorporates features that deliver dynamic content such as:
• Login pages
• Customer support pages
• Product request forms
• Feedback forms
• Search pages
• Shopping carts
When the legitimate user submits his details, a SQL query is generated from these details
and submitted to the database for verification. Using SQL Injection, the hacker may input specifically
crafted SQL commands with the intent of bypassing the form barrier and seeing what lies behind it.
Many times all an attacker needs to perform a SQL Injection hacking attack is a web browser,
knowledge of SQL queries, and creativity to guess important table and field names.
A simple illustration of a SQL injection attack goes like this; an attacker attempts
compromise a system that they have no access to by entering code instead of their credentials.
So when the attacker is prompted to enter their Username and Password he enters codes such
as 'x'='x'. And depending how the system's software is written, this command will be True because
x always equal x, so the Username and Password combination will always be True or match!
Once an attacker realizes that a system is vulnerable to SQL Injection, he is able to
inject SQL Commands through the input field. This allows the attacker to execute any SQL command
on the database, including modifying, copying, and deleting data.
The author is a computer security professional with experience protecting small business
and home networks. He also teaches the basics of computer network security at 365 Computer
Security Training where he blogs regularly and creates video training and educational materials
related to information security. Learn more at 365ComputerSecurityTraining.com [parked domain].
More Network Security Articles: • Domain Name System (DNS) Vulnerabilities • The Use of HoneyPots and HoneyNets to Trick Hackers • What Roles Do Firewalls and Proxy Servers Play in Network Security? • Methods to Combat Distributed Denial of Service (DDoS) Attacks • Are You Meeting ISO 27000 Standards for Information Security Management? • ARP, MAC, Poisoning, and WiFi Security • Remote Access Authentication Protocols • Handling Rogue Access Points • Detecting Network Sniffers • Understanding the Dangers Your Systems Face
|