SQL Injection
Are Your Web Applications Vulnerable?
A SPILABS Whitepaper
Presentation by Joe Combs 29 March 2006
Agenda
• SQL Injection Defined
• What Can Attackers Accomplish?
• Solutions
• A Surprising Example
What is SQL Injection?
• Database layer vulnerability
• Characters like ’ and ; have special
meaning to SQL engine
String myQuery = “SELECT credit_card_nbr ” +
“FROM cust_acct “ +
“WHERE cust_id = „” +
custIDVar +
“‟”;
• What if custIDVar is passed something like
this?
‟;drop table cust_acct--
Why SQL Injection?
• Footprinting allows an attacker to systematically
deduce the structure of your database through
carefully crafted injections
• Unauthorized data access
• Execute arbitrary commands
Solutions
• Security through obscurity is a first (weak) step
• use original (harder to guess) table & column
names
• name form fields different from column names
• use aliases for table names
Solutions
• Strip risky characters from data passed in from
outside.
• Better yet - filter with a default-deny regular
expression
• Stored Procedures
• may hide some of the details of your database but
once an attacker has a successful injection they can
leave you wide open - see xp_cmdshell in MS
SQLServer.
Solutions
• Limit the rights of the database user to prevent
running of system stored procedures
• Prepared Queries - bind variables
String myQuery = “SELECT credit_card_nbr ” +
“FROM cust_acct “ +
“WHERE cust_id = :1”;
An Unexpected Twist
• RFID!
• Use of RFID increasingly common
thanks to major push from
corporations like Wal-Mart
• RFID tag reports inventory lot
number or some other relevant data
- what if a devious person doctored
a tag to include extra characters in
that stock number?
Conclusions
• Don’t trust user supplied data
• Do more than scrub risky characters -
use regular expressions to black list or
better yet white list data
• Be leery of stored procedures
• Use prepared queries both to boost
performance and ensure query execution
doesn’t get hijacked
References
• Stephen Kost, “An Introduction to SQL Injection Attacks for Oracle
Developers”,
http://www.integrigy.com/info/IntegrigyIntrotoSQLInjectionAttacks.pdf, 2004
• Various Authors, Wikipedia article, http://en.wikipedia.org/wiki/SQL_injection
• Stuart McDonald, “SQL Injection: Modes of attack, defence, and why it
matters”, http://www.sans.org/rr/whitepapers/securecode/23.php, 2002
• Colin Angus Mackay, SQL Injection Attacks and Some Tips on How to
Prevent Them,
http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp?df=100&fo
rumid=146482&exp=0&select=1112305, 2005
• http://www.rfidvirus.org/