An attacker can inject own SQL query to obtain sensitive information like database login credentials, etc. In the sample attack shown below, we can see how attacker has injected a SQL query to obtain database login details.
form action="system/database/DB_query_builder.php" method="POST"> input type="hidden" name="where_in" value="where%20name%20%3D%20"db_login%"%20-->br> input type="text" name="where_in" id="where_in_1" size="40" />input type="submit" value="Submit Query"> /form>
- You can't see it in the image but in the where_in input field there is a single quotation mark character ' which is causing the problem because it is not valid in any SQL query.
CWE-400: Improper Neutralization of Untrusted Input (SQL Injection)
This vulnerability is one of the most dangerous vulnerabilities in the OWASP Top 10 list. The fact that it's so common and easy to exploit means that you always need to be aware of what inputs are coming into your application and how they are being handled.
An attacker can inject own SQL query to obtain sensitive information like database login credentials, etc. In the sample attack shown below, we can see how attacker has injected a SQL query to obtain database login details.
form action="system/database/DB_query_builder.php" method="POST"> input type="hidden" name="where_in" value="where%20name%20%3D%20"db_login%"%20-->br> input type="text" name="where_in" id="where_in_1" size="40" />input type="submit" value="Submit Query"> /form>
SQL Injection using %USERNAME% parameter
The sample attack shown below is a SQL Injection using a %USERNAME% parameter. The following sample SQL query will return the databse user's password
SELECT * FROM users WHERE username='%USERNAME%'
In this scenario, if an attacker can receive the value of %USERNAME%, then he or she can easily extract database user's password without any trouble. This can be achieved by sending the following request:
POST /system/database/DB_query_builder.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 where_in=?br>&where_in_1=?
--%USERNAME%=1234567890&where_in_2=?br>&where_in_3=?br>&where_in_4=?br>--
SQL Injection and How to Prevent It
SQL injection is an attack where the attacker can inject their own SQL query to obtain sensitive information like database login credentials, etc. If a SQL injection attack takes place, it is important to protect your application from sensitive information being leaked out. The following methods will help you prevent SQL injection attacks:
- Use parameterized queries whenever possible. This will help prevent SQL injection attacks because the attackers won't be able to inject their own query in case they try to do so. On the other hand, if this isn't possible than use prepared statements.
- Ensure that your application uses content type and entity encoding properly when setting up input values for forms on your web app. This will prevent signs of encoding or encoding errors that can lead to SQL injection attacks through various ways.
- Use parameterized queries with user authentication which will ensure that any unauthenticated information inputted by the user is not going out as a query against your system table
Timeline
Published on: 10/07/2022 11:15:00 UTC
Last modified on: 10/08/2022 01:40:00 UTC