Saturday, April 18, 2015

Sql Injection And Defense

Sql Injection

#SQL Server Security

In news ,I come to know that sql injection causes the nos of website got compromise and the detail of users got leaked. So thought come in mind to write few line on Sql injection.





What is ?

A Sql Injection attack is injection /insertion of sql query via input from application. Sql injection causes attacker can read information from database ,perform modification(insert, update, delete) in database or executive administrative related script / perform administrative task.





What it can perform ?

  •        Retrieve information/steal information.
  •        Can modify data (perform data insert,delete,update).
  •        Can effect the schema of database.
  •        Can perform database administrative task (dropping,creating database, apply some permission set on database object,create a job schedule etc  etc.)

In News ?

Demo/Example: 

These are snapshot from live website.(a marriage portal which has sql injection vulnerability) 


Now providing very basis term for sql injection for login 
Lets try userid as ' or '1'='1  and password   ' or '1'='1


Ohhh!, It's successfully logged-in


attacker can change perform number of task related to perform open even know the full information of account which is appeared after successfully log in.



Defense 

  • Avoid using dynamic Sql queries.

  • Validate each user input.(server side as well)

  • Use Prepared statement/ parameterized sql queries.

  • Use Stored Procedures.

  • Enforce least privilege.
  • Least require permission to the sql user login.




So don't trust on user input (user can be a hacker/attacker),validate each & every step of logic flow whereas this is in server side code / in sql server side stored procedure , provide only required permission. Don't give access to administrative privilege to a web user. Never use sa account to access information from db for a application.

~Sunit