Security Testing – SQL Injection

Document Sample
Security Testing – SQL Injection Powered By Docstoc
					                                                Security Testing – SQL Injection

                 Now a day, Security Testing plays a leading role in developed software subjected to testing. SQL injection technique
                 gains more importance, when Security testing is concerned. SQL Injection vulnerabilities can cause a lot of damage
                 to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to server

                 Many applications use some type of a database. An application under test might have some form of user interface
                 that accepts user input that may perform some of the following tasks

                 1.   Show the relevant stored data to the user e.g. the application checks the credentials of the user using the log in
                 information entered by the user and exposes only the relevant functionality and data to the user

                 2.   Save the data entered by the user to the database e.g. once the user fills up a form and submits it, the
                 application proceeds to save the data to the database; this data is then made available to the user in the same
                 session as well as in subsequent sessions

                 These input fields are the entry point for the hackers to play with SQL injection. Some of the user inputs might be
                 used in framing SQL statements that are then executed by the application on the database. It is possible for an
                 application NOT to handle the inputs given by the user properly. If this is the case, a malicious user could provide
                 unexpected inputs to the application that are then used to frame and execute SQL statements on the
                 database. This is called SQL injection. The consequences of such an action could be alarming.

                 The following things might result from SQL injection:

                 1. The user could log in to the application as another user, even as an administrator.

                 2. The user could view private information belonging to other users e.g. details of other users’ profiles, their
                 transaction details etc.

                 3. The user could change application configuration information and the data of the other users.

                 4. The user could modify the structure of the database; even delete tables in the application database.

                 5. The user could take control of the database server and execute commands on it at will.

                 Since the consequences of allowing the SQL injection technique could be severe, it follows that SQL injection should
                 be tested during the security testing of an application.

                 Important: The SQL injection problem should be tested only in the test environment.

                 SQL injection might be possible in applications that use SSL. Even a firewall might not be able to protect the
                 application against the SQL injection technique.




Visit IVESIA’S WEBSITE Follow us at LINKEDIN and TWITTER
               How to inject SQL attacks?


                 1.   To start performing security testing for application against SQL attacks, one should look for the possible input entries, in

                      which User can enter SQL commands. Examples would be Login Page, User Submission Forms, Search Fields, Comments

                      Fields in Blogs, Forum Pages, sometimes even Email input fields


                 2.   Start framing SQL commands, which might attack application by deleting entries, altering existing information, commands

                      that retrieve database error which reveals some table information. Example: Entering a single quote (‘) in any textbox will

                      encounters a database error, it means that the user input is inserted in some query which is then executed by the application

               Few following inputs can be used in application, to see if they return database errors or produce reflective action in
               database

                          ' having 1=1 ---

                          ' or 1=1; drop table users; --

                          '; shutdown with nowait; --

                          '; exec master..xp_xxx; --

                          '; exec master..xp_cmdshell 'iisreset'; --

               Important: During security testing, the tester should be very careful not to modify any of the following:


                      Configuration of the application or the server


                      Services running on the server


                      Existing user or customer data hosted by the application

               Additionally, a security test should be avoided on a production system.

               The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can
               then remove these vulnerabilities from the application and make the web application and data safe from unauthorized
               actions.

               Instead of manually testing whether the application is vulnerable to SQL injection or not, one could use a web
               vulnerability scanner that checks for SQL injection.




Visit IVESIA’S WEBSITE Follow us at LINKEDIN and TWITTER

				
DOCUMENT INFO
Description: Now a day, Security Testing plays a leading role in developed software subjected to testing. SQL injection technique gains more importance, when Security testing is concerned. SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to server Many applications use some type of a database. An application under test might have some form of user interface that accepts user input that may perform some of the following tasks