The notorious SQL Injection vulnerability is among the most critical security vulnerabilities, considering the ease and impact of exploitation. This type of vulnerability is mostly found in legacy applications, thanks to the advent of ORM’s and better database libraries.
SQL Injection vulnerabilities are found where non-sanitized user input is used in conjunction with database queries. Guessing the SQL query being used for a certain operation, the attacker inserts SQL code into the input, causing the database to execute the attacker’s code, rather than what was intended by the application.
The attacker can exploit this vulnerability to gain access to critical data or to cause severe damage and data loss.
In this example, a web site allows users to sign in and communicate with
their friends. The user credentials are stored in a database table named
users
, with three columns: id
, email
and password
.
On the sign in page, a form with input fields for the user’s email address and password is available. The form sends the sign in request to a page with the following code:
<?php
$email = $_POST['email'];
$password = md5($_POST['password']);
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password';";
$result = pg_query($conn, $query);
An attacker may use the email
field on the sign in page to prematurely end
the query intended by the application and append their own query to be executed
afterwards.
By entering the following email address, the attacker will cause all
users of the website to be removed: [email protected]'; DROP TABLE users; --
.
This happens because the email address is inserted directly into the query string
without any kind of sanitization of special characters etc. The actual query
executed by the database looks like this:
SELECT * FROM users WHERE email = '[email protected]'; DROP TABLE users; --' AND password = '';
The double-dashes at the end of the input marks a comment, causing the database not to evaluate anything succeeding the comment marks.
This vulnerability can be exploited in many other conceivable ways to either change the password of another user, gain administrator priveleges, extract sensitive data etc.
As a general rule, all communication with SQL databases from the application should be happening through a library that takes care of sanitizing user input before passing it into a database query.
This also implies correct usage of the database library and never circumventing the database library by building queries with user input directly using crude string concatenation.
A code security review is the best way to ensure that all parts of the application adhere to these guidelines.
More useful information may be found at:
We provide code security reviews as a service. Based on our extensive experience in the field of sofware engineering and IT security, we know how to efficiently review entire code bases and identify security critical parts of the software.
This enables us to provide our security code review service at a fixed rate per review, providing our customers a transparent, efficient and reliable process.
Fixed Price per Review