Technical professionals responsible for the security of publicly accessible Internet servers often focus (justifiably) on maintaining the operating system and server software that they purchase from vendors. Indeed, these packages often contain significant security vulnerabilities and it is incumbent upon every security administrator to ensure that their servers are patched with the most recent vendor security patches and hotfixes.
However, that's not the extent of the administrator's responsibilities. As you probably know, the custom code developed within your organization to power dynamic Website functionality has the potential to open significant vulnerabilities in your Web server. These flaws are especially dangerous when you're using Web applications to provide an interface to a back-end database. One particular type of attack against database-driven applications is the SQL injection. In this attack, the intruder manipulates a site's Web-based interfaces to force the database to execute undesirable SQL code.
SQL injection attacks are best learned through example. Imagine a simple Website set up by a package delivery company to provide delivery status information to anyone who knows the tracking number associated with a particular package. The application may simply ask the user for the tracking number and then look it up in a database table using the following SQL code:
Where @tracking is a variable passed in from the web application. Under normal circumstances, this application may function p
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
erfectly normally. For example, if a user enters the tracking number 1A2123ZC2, the corresponding query would be:
That ideal situation makes one flawed assumption -- that the user will only enter a valid tracking number. Malicious individuals are not likely to be so cooperative. Suppose that the user instead enters the string shown below in the tracking number field:
The corresponding query will now be:
Which will have the unintended consequence of retrieving all of the tracking information stored in the database. Now assume that we have an even more malicious user who enters the following string:
This would cause the database to execute the following query:
Which would have the clearly undesirable result of deleting all of the tracking information from the database!
There are several steps that you can take to reduce the possibility of a SQL injection attack against your database:
If you take the time to implement these simple steps, you'll be well on your way to securing your Web/database interaction.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
