Q&A: SQL injection
by Mirko Zorz - Thursday, 10 September 2009.
Justin Clarke is a co-founder and Director at Gotham Digital Science. He has over twelve years of experience in assessing the security of networks, web applications, and wireless networks. He is the author of the open source SQLBrute blind SQL injection testing tool, several books, and is the Chapter Leader for the London chapter of OWASP. In this interview he discusses SQL injection and his latest book.

Exactly how big of a problem is SQL injection? Can you provide a rough picture to our readers not familiar with the issue?

SQL injection is a huge problem. It is both fairly common, as well as having the potential to be a huge risk to a business either directly or indirectly. A good example of the risk of SQL Injection is the recent revelation that SQL injection was a key part in a number of the recent large credit card data breaches - Heartland, Hannaford, TJX and others. In these cases, SQL injection was used in order to get further into an organization and do something else, however in a lot of cases SQL injection can be serious enough all on its own. I've seen examples such as a small US bank that had over 5,000 mortgage applications stolen from an application via SQL Injection, and hence all of the information needed to steal all of those people's identities.

For those not familiar with SQL injection, it occurs when unvalidated user input is included within Structured Query Language (SQL) statements that are dynamically assembled within the application. For example, say the application is assembling a query for product information with a “productid” variable supplied by the user with a query something like this:

string query = "SELECT * from products WHERE productid =" + productid

Where the “productid” variable is as the developer expects, this works fine. However if the “productid” variable contains SQL language statements instead of the expected values, an attacker can modify what the query does, and even execute totally different database functionality in some cases. For example, on Microsoft SQL Server the attacker may be able to execute operating system commands like the following:

Attacker supplies the following value for “productid” -> 1; exec xp_cmdshell('cmd.exe /c ping 10.11.12.13')--

What's are the main motivations behind SQL injection attacks? Precisely what are the attackers after?

The main motivation is usually to access the data in the application or applications that are present on the database server supporting the application. This could take the form of obtaining access to data in the application (for example, getting people's usernames and password), or modifying or deleting information in the database (for example, inserting a link to a malicious JavaScript file into the application's front page).

We are also seeing an increasing amount of reports where SQL injection is used as a method of getting into an organization's network. In this case, its likely they are using common database functionality to run underlying operating system content in order to gain a foothold on the database server. As database servers have a tendency to be in a network segment closer to the organization's internal network (or may be on the internal network in some cases), this can allow an attacker to then gain access further into the organization, and then attack other systems they are interested in.

Spotlight

The context-aware security lifecycle and the cloud

Posted on 25 November 2014.  |  Ofer Wolf, CEO at Sentrix, explains the role of the context-aware security lifecycle and illustrates how the cloud is shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Nov 26th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //