AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

SQL Injection

The attacker can inject unauthorized partial SQL query strings and steal data, such as user passwords, or run unauthorized commands on database server. This can lead to total ownage of database and other servers in the corporate environment.

Severity

Critical

Fix Cost

Low

Trust Level

High

SQL Injection is the most popular attack vector that hackers exploit. It is also by far the most known attack method that developers and business owners are aware of.

The SQL standard supports complex queries and it is the de facto query standard against stored data in web applications.

Let the backend code is similar to the following snippet;

                            
SqlConnection con = new SqlConnection(connStr);
SqlCommand sqlComm = new SqlCommand(con);
sqlComm.CommandText =
"SELECT * FROM users WHERE ( name = '" + Request["name"] + "' and passwd  = '" + Request["passwd"] )";
con.Open();
SqlDataReader DR = sqlComm.ExecuteReader();
            
            

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two piece of information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial SQL filter in the program, result in SQL injection. The attacker can potentially manipulate the SQL query and access the information that he can’t access otherwise.

For example, by sending admin' or 2 > 1 ) -- as Request["name"], the attacker may authenticate as admin user although he is not the user having the username admin. This is just one of the possibilities that attacker can do with the vulnerable code such as above.

SQL Injection can exist in dynamic SQL query constructions and stored procedures. It is also important to know that using ORM frameworks such as LinqToSql, Entity Framework or NHibernate doesn’t %100 prevent SQL injection. It is still developer’s job to be careful not to construct sql queries dynamically. For example analyze the code snippet below;

                
Query query = session.createQuery("from users where name ='" + Request["name"] + "'"); 
                
            

There’s still a room for hacker to manipulate the query by providing smart values for Request["name"].

SQL Injection is the most popular attack vector that hackers exploit. It is also by far the most known attack method that developers and business owners are aware of.

The SQL standard supports complex queries and it is the de facto query standard against stored data in web applications.

Let the backend code is similar to the following snippet;

                                
String custname = request.getParameter("name");
query = "SELECT balance FROM data WHERE name = '" + custname + "'";
pstmt = connection.prepareStatement(query);
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
            
            

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two piece of information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial SQL filter in the program, result in SQL injection. The attacker can potentially manipulate the SQL query and access the information that he can’t access otherwise.

For example, by sending nouser' or 2 > 1 ) -- as request.getParameter("name"), the attacker may fetch all users although he doesn’t have the appropriate role to do so. This is just one of the possibilities that attacker can do with the vulnerable code such as above.

SQL Injection can exist in dynamic SQL query constructions and stored procedures. It is also important to know that using ORM frameworks, such as Hibernate, doesn’t %100 prevent SQL injection. It is still developer’s job to be careful not to construct sql queries dynamically. For example analyze the code snippet below;

                                                              
String query = "from Users where uname = '" + request.getParameter("name") + "'";
List users = hibernate.find(query);
if (users.length == 0)  
return  ERROR_LOGIN;
if (!checkPasswd(users.get(0).getPasswd(), pass))
return ERROR_LOGIN; 
                    
                

There’s still a room for hacker to manipulate the query by providing smart values for p>request.getParameter("name").

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!