Technical professionals responsible for the security of publicly accessible Internet servers often focus (justifiably) on maintaining the operating system and server software that they purchase from vendors. Indeed, these packages often contain significant security vulnerabilities and it is incumbent upon every security administrator to ensure that their servers are patched with the most recent vendor security patches and hotfixes.
However, that's not the extent of the administrator's responsibilities. As you probably know, the custom code developed within your organization to power dynamic Website functionality has the potential to open significant vulnerabilities in your Web server. These flaws are especially dangerous when you're using Web applications to provide an interface to a back-end database. One particular type of attack against database-driven applications is the SQL injection. In this attack, the intruder manipulates a site's Web-based interfaces to force the database to execute undesirable SQL code.
SELECT * FROM Shipments WHERE TrackingID='@tracking'
Where @tracking is a variable passed in from the web application. Under normal circumstances, this application may function perfectly normally. For example, if a user enters the tracking number 1A2123ZC2, the corresponding query would be:
SELECT * FROM Shipments WHERE TrackingID='1A2123ZC2'
That ideal situation makes one flawed assumption -- that the user will only enter a valid tracking number. Malicious individuals are not likely to be so cooperative. Suppose that the user instead enters the string shown below in the tracking number field:
1A2123ZC2' or true
The corresponding query will now be:
SELECT * FROM Shipments WHERE TrackingID='1A2123ZC2' or true
Which will have the unintended consequence of retrieving all of the tracking information stored in the database. Now assume that we have an even more malicious user who enters the following string:
1A2123ZC2'; DELETE FROM Shipments
This would cause the database to execute the following query:
SELECT * FROM Shipments WHERE TrackingID='1A2123ZC2'; DELETE FROM Shipments
Which would have the clearly undesirable result of deleting all of the tracking information from the database!
There are several steps that you can take to reduce the possibility of a SQL injection attack against your database:
- Escape single quotation marks. Include code within your Web applications that replaces
single apostrophes with double apostrophes. This will force the database server to recognize the
apostrophe as a literal character rather than a string delimiter.
- Limit the privileges available to the account that executes Web application code. In the
example above, if the account only had permission to perform the intended action (retrieving
records from the Shipping table), the deletion would not be possible.
- Reduce or eliminate debugging information. When an error condition occurs on your
server, the Web user should not see technical details of the error. This type of information could
aid an intruder seeking to explore the structure of your database.
- Educate your developers. Make sure that the people responsible for developing code
within your organization are aware of the seriousness of the threat and the simple steps that they
may take to help safeguard your servers.
- Test your Web applications. Spot-check the work done by your developers. One simple
check that you can do is to place single quotation marks within the data sent to your server. If
you receive an error response of any kind, chances are you're vulnerable to an SQL injection
If you take the time to implement these simple steps, you'll be well on your way to securing your Web/database interaction.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
This was first published in March 2003