Monday, April 10, 2006

SQL Injection - Part 1

Security .. This word repeated regularly when taking about critical applications. Actually, security is one of the most important aspects in developing applications, especially, web applications. Why? Because, web applications has a very unique property .. "It's a public application!". This means many people have access to your application, many people has access to your services. And as long as the accessibility increase, threatens also increase.

SQL Injections is one of the simplest and popular attacks on the net. However, it needs somehow experienced attackers in SQL and database engines.

Dynamic web forms usually receive parameters and according to these parameters the web-form rearrange its behavior and layout. Parameters are sent to the web-forms through HTTP using one of the two methods: GET or POST - Actually explaining these methods is out of our scope here.

For example, using GET method, we can send parameters to the web form like:

As shown, the "Login" page receives two parameters: username and pass. In your login page, you may check the credentials of the user using a SQL statement like that:

sql = "SELECT username, password FROM users WHERE username=" & username
& " AND password=" & password

Suppose that our lovely attacker now try to play with this login page. He will simply pass the parameters to this web-form as following: or 1=1

Actually, if this login page is for an administration page, for example, then you're in a critical situation! Why? .. The "password" parameter is now "mypass or 1=1". And after concatenated with the SQL statement in our page, the SQL statement will be like that:

SELECT username, password FROM users WHERE username=nour AND password = mypass or 1=1

As you can see, the WHERE condition will not return only one record. Actually, it will return all users records in your system. A great disaster! . So, if your authentication method is built on this query, it will return always results and any user can access it regardless of the given password! Actually, this is a simple demonstration of what can be done with SQL injection.

Wait for more in Part 2...