SQL Injection Attacks and Input Validation for Prevention, Assignments of Network security

Sql injection attacks, which exploit web applications to illegitimately access and manipulate database servers. Using a shopping website as an example, the document illustrates how dynamic web applications interact with databases to generate content in response to user requests. A sql query is demonstrated, and the document shows how sql injection attacks can provide unauthorized access to database content by taking advantage of dynamic web applications. The document also discusses the importance of input validation as a preventative measure against sql injection attacks.

Typology: Assignments

2020/2021

Uploaded on 07/05/2021

farhan-ahmad
farhan-ahmad 🇵🇰

6 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
- [Instructor] SQL injection attacks use web applications as a mechanism
to illegitimately access database servers that support web applications and retrieve
sensitive information or make unauthorized modifications to the database. Many
modern applications rely upon databases to help generate dynamic content on the
fly. Consider, for example, an online shopping website that has millions of items in
its catalog. Users can visit the site and search for just about anything using any
combination of key words. Obviously, the site developers can't imagine
every possible search term and create pages in advance. That's where databases
come into play. Instead of creating those pages in advance, developers write
dynamic web applications. These web applications reach out to databases to obtain
content as they build pages that respond to user requests. Let's look at an example
of a SQL query. You don't need to know the specifics of SQL for the Security Plus
exam, but it is helpful to be somewhat familiar with query syntax. In this example,
the web application is requesting a password for the user mchapple from the
database. The database returns a table showing the username and password. There
are a few parts to this query. The Select statement specifies the information that we
want to retrieve from the database. In this case, that's the username and
password. The From clause tells the database what table contains the
information. In this case, that's the user_accounts table. Finally, the Where clause
limits the results to those matching a certain query. In this case, those for the user
mchapple. A dynamic web application might plug in information to the Where clause
from a variable. SQL injection attacks take advantage of this to give the database
unexpected instructions. For example, what if we added this strange "or one equals
one" clause to the end of the Where statement? One equals one is just a
mathematical statement that's always true. So the Where clause now essentially
reads "Where username equals mchapple or true." So it's always true. And you see
the results that come back from the web application include all of the usernames
and passwords from the database. Let's try this against a WebGoat application. You
see here a simple web application that returns database information for a user after
entering their last name. The application also displays the SQL query on the screen
for our benefit. If we use this application the way it's intended, we simply enter a
last name, let's try Smith, into this box and then click Go. And you can see here, the
query was properly constructed. "Select star from user data where last name equals
Smith." And below, we see the results of that query, all the information about users
with the last name of Smith. Now let's try a SQL injection attack. Instead of just
entering Smith, we're going to add on to the end of that that "or one equals
one". So, I'm going to put a quote here, enter my "or one equals one," and then
comment out the rest of the syntax. The purpose of some of the extra characters
here is just to make the SQL query work. You'll see that in just a second when I hit
Go. When I scroll down now and look at the query, you can see the quote that I
added at the end of Smith has ended the last name equals Smith quotes, and then
we've added on the "or one equals one." The rest of this just comments out the
single quote that's left over from the query template. The interesting thing here,
now, is instead of just seeing the results for the user John Smith, we see all of the
users contained within that database and their credit card numbers. We can even
get a little more sinister than this. Let's go ahead and try this again. And this time,
instead of just putting in the "or one equals one," I'm going to go ahead and type in
pf2

Partial preview of the text

Download SQL Injection Attacks and Input Validation for Prevention and more Assignments Network security in PDF only on Docsity!

  • [Instructor] SQL injection attacks use web applications as a mechanism to illegitimately access database servers that support web applications and retrieve sensitive information or make unauthorized modifications to the database. Many modern applications rely upon databases to help generate dynamic content on the fly. Consider, for example, an online shopping website that has millions of items in its catalog. Users can visit the site and search for just about anything using any combination of key words. Obviously, the site developers can't imagine every possible search term and create pages in advance. That's where databases come into play. Instead of creating those pages in advance, developers write dynamic web applications. These web applications reach out to databases to obtain content as they build pages that respond to user requests. Let's look at an example of a SQL query. You don't need to know the specifics of SQL for the Security Plus exam, but it is helpful to be somewhat familiar with query syntax. In this example, the web application is requesting a password for the user mchapple from the database. The database returns a table showing the username and password. There are a few parts to this query. The Select statement specifies the information that we want to retrieve from the database. In this case, that's the username and password. The From clause tells the database what table contains the information. In this case, that's the user_accounts table. Finally, the Where clause limits the results to those matching a certain query. In this case, those for the user mchapple. A dynamic web application might plug in information to the Where clause from a variable. SQL injection attacks take advantage of this to give the database unexpected instructions. For example, what if we added this strange "or one equals one" clause to the end of the Where statement? One equals one is just a mathematical statement that's always true. So the Where clause now essentially reads "Where username equals mchapple or true." So it's always true. And you see the results that come back from the web application include all of the usernames and passwords from the database. Let's try this against a WebGoat application. You see here a simple web application that returns database information for a user after entering their last name. The application also displays the SQL query on the screen for our benefit. If we use this application the way it's intended, we simply enter a last name, let's try Smith, into this box and then click Go. And you can see here, the query was properly constructed. "Select star from user data where last name equals Smith." And below, we see the results of that query, all the information about users with the last name of Smith. Now let's try a SQL injection attack. Instead of just entering Smith, we're going to add on to the end of that that "or one equals one". So, I'm going to put a quote here, enter my "or one equals one," and then comment out the rest of the syntax. The purpose of some of the extra characters here is just to make the SQL query work. You'll see that in just a second when I hit Go. When I scroll down now and look at the query, you can see the quote that I added at the end of Smith has ended the last name equals Smith quotes, and then we've added on the "or one equals one." The rest of this just comments out the single quote that's left over from the query template. The interesting thing here, now, is instead of just seeing the results for the user John Smith, we see all of the users contained within that database and their credit card numbers. We can even get a little more sinister than this. Let's go ahead and try this again. And this time, instead of just putting in the "or one equals one," I'm going to go ahead and type in

the last name Smith, and then I'm going to add a command, "Delete from user data". And what that's going to do is remove all of the information from that table in the database. Now this time, when I go back and try to search for records relating to Mr Smith, you'll see there are no results remaining in the database. How can you prevent SQL injection attacks against your applications? Input validation. You have to check user input to make sure that it matches the expected format. If you're expecting a last name, you should have letters only. No apostrophes or equals signs in there. SQL injection is just one form of injection attack. Similar attacks can occur against LDAP, XML, and other technologies where remote users can manipulate command parameters. In this demonstration, you saw how a SQL injection attack allows the user of a web application to access the underlying database. In our first attack, we simply added a "one equals one" to the end of a query to make the condition always true and display all of the contents of a database. We then got more malicious and deleted all of the records from that database. SQL injection attacks allow dangerous direct interaction between attackers and your databases. Input validation is essential to preventing SQL injection attacks.