SQL InjectionSQL Injection DefinedSQL Injection is a type of web application security vulnerability in which an attacker is able to submit a database SQL command which is executed by a web application, exposing the back-end database. SQL Injection attacks can occur when a web application utilizes user-supplied data without proper validation or encoding as part of a command or query. The specially crafted user data tricks the application into executing unintended commands or changing data. SQL Injection allow an attacker to create, read, update, alter, or delete data stored in the back-end database. In its most common form, SQL Injection allows attackers to access sensitive information such as social security numbers, credit card number or other financial data. According to the Open Web Application Security Project (OWASP), SQL Injection is one of the most prevelant type of web security vulnerability. Anatomy of SQL Injection AttacksWith over 20% of all web vulnerabilities being attributed to SQL Injection, this is the 2nd most common software vulnerability and having the ability to find and prevent SQL injection should be top of mind for web developers and security personnel. In general, a SQL Injection attack exploits a web application which does not properly validate or encode user-supplied input and then uses that input as part of a query or command against a back-end database. For example, a typical form may ask for a ID and create a URL: http://www.somewebsite.com/id/id.asp?id=somedata. An attacker using SQL Injection may enter "somedata or 1=1". If the web application does not properly validate or encode the user-supplied data and sends it directly to the database, the reply to the query will expose all ids in the database since the condition "1=1" is always true. This is a basic example, but it illustrates the importance of sanitizing user-supplied data before using it in a query or command. Finding and Remediating SQL Injection Vulnerabilities with VeracodeVeracode's SecurityReview enables organizations to quickly identify and remediate SQL Injection security vulnerabilities in web applications. Veracode uses static binary analysis and dynamic vulnerability scanning to model web applications, locate all user inputs and determine if the input can be used to exploit a SQL Injection vulnerability. Unlike other approaches which simply look for software versions that are known to have SQL Injection vulnerabilities, Veracode exercises each input with data testing to fully assess each potential attack vector. And because Veracode uses non-destructive input testing methods, such as SELECT commands, the technique can be used on "live" websites without causing harm to users, data or performance. Once a SQL Injection vulnerability is detected, organizations are provided with remediation details such as location of vulnerability, data used to create the exploit and steps to properly santize the input to remediate the problem. Application developers should always sanitize user inputs before using them in dynamically generated content and a detailed technical guide with coding examples is available on the Common Weakness Enumeration (CWE) website. |
