...
| Info |
|---|
CWE-89 describes SQL Injection as follows: “The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.” |
Any SQL-Injection attack basically consists of insertion (or “injection”) of malicious code within the SQL command executed by the app.
Effects of such malicious code injections can be unpredictable, depending on the attacker’s intelligence and SQL-interpreter’s characteristics, but the most common are:
- Read/modify sensitive data
- Execute administrative operations
- Execute commands on the underlying OS
| Info |
|---|
The most basic SQL-injection attack is based on exploiting on exploiting a dynamically constructed SQL query based on input data. |
Let’s suppose an app that display displays the user’s data based on user’s name as typed from the application user in a web form.
Dynamically constructed SQL in-app code might be something as
...
Let’s imagine the result when the attacker supplies next the following text:
‘ or '1'='1
In this case, sqlSQL-engine will return all users’ data because 1=1 will always be TRUE.
...
In this case, the attacker would be able to delete the users table or truncate system tables. Everything depends on the concrete case, but “the door is open” and, as you can imagine, imagination is the limit. How does the attacker know the app database tables? Depending on the error messages the application produces when a SQL-injection attack happens, a smart attacker might be “inferring” database structure information from the error page. It’s a matter of patience to discover useful information.
You could be thinking on of a common app error management approach consisting on of providing a generic error page, not displaying any exploitable information about the app’s internals.
Even in this case, the app is still vulnerable to sqlSQL-injection. In these cases, attackers use a technique known as “Blind SQL Injection”.
This hacking technique is based on asking the database questions and determines the answer based on the applications application's response. This attack is often used when the web application is configured to show generic error messages , but has not mitigated the code that is vulnerable to SQL injection.
...
| Info |
|---|
In Kiuwan, you can search for rules covering SQL-Injection (CWE-89) filtering by
|
Kiuwan incorporates the next rules for SQL-Injection (CWE-89) for the following languages.
...