I constructed a basic web application to demonstrate the risks of creating a web app without using some form of encoding or parameterized query, as shown below:
By running a command such as the following shown below (where 'CommentDescription' would be the value you are inputting into the input field) you could terminate a current sql statement for any insert sql statments being run:
CommentDescription');
After you terminate the SQL statement you can easily run another command that will also take effect upon submitting data into the database. Examples of this could include, dropping an entire table, or deleting records out of tables, amongst other things. This can be an extremely dangerous web vulnerability.
In order for a general user to SQL inject a site sometimes they may have to guess table names, field names from certain tables to do what they set out to do, other times they may be able to write general enough SQL that they do not need specifics to perform malicious attacks to your database. However this definitely stresses the importance of not using generic table names - such as 'login' for a login table or 'id' for your primary key.
Here is an example of the code I placed into the input field of the web application I showed above.
CommentDescription');DELETE FROM tblimagescomments WHERE commentId='32';
This line of sql completes the previous statement and then also deletes the contents of the record with the id 32 from the table of comments. Although it always seems unlikely that an attacked would be able to guess your table structure or that they would be able to pinpoint that your application has this vulnerability present, SQL Injection is considered one of the most prominent web security threats out there.
No comments:
Post a Comment