Feature

Web Application Break-In

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."

Download it now to read this article plus other related content.

SQL and Email Injection
Another attack method clearly on the rise--and that can cause severe damage--is the injection attack. SQL injection attacks represent a serious threat to any Web site with a database back end and require nothing more than port 80 to be open. The methods behind these attacks are easy to learn and can lead to a complete system compromise, even if a system's patches are up to date.

SQL injection occurs when attackers take advantage of sites that generate SQL queries from user-supplied data without first checking or pre-processing it to verify that it's valid. By modifying the expected Web application parameters, an attacker can submit SQL queries and pass commands directly to a database.

A less-publicized injection attack that also profits from weak user input validation is email injection. If you have an email form on your Web site--such as a feedback or contact form--it basically acts like an SMTP proxy. Spammers will try to hijack it, turning your Web form into a spam relay. This type of attack often goes unnoticed until antispam filters blacklist the offending server's IP address.

The email injection attack works with any code that builds the message's mail headers when processing a Web form. For example, the PHP mail function requires a target address, a subject line and some form of message content. An optional parameter allows you to specify other mail headers, such as From, Cc and Bcc. Many

    Requires Free Membership to View

PHP mail scripts use this fourth parameter to insert the sender's email address into the From header. If the script accepts a name and email address and formats them into the From field, spammers can use these form fields to manipulate the mail headers and insert a subject line, content and extra email addresses.

Again, the problem here is a failure to check user input properly and highlights the fact that Web developers need to fully understand the server-side language functions they use. To ensure your email forms are not open to abuse, your script should filter all user input using regular expressions or string functions to remove any line feeds or carriage returns.

This was first published in August 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: