A quick look at the Open Web Application Security Project (OWASP) web site will tell you that the number one vulnerability to web applications is “Injection”. This means that an attacker is able to literally inject some piece of code or data into the target website. In the majority of cases, this is an application programing problem. The developer either used an API that did not properly check its inputs or used user input without properly sanitizing that input. A classic example of this is the SQL injection. SQL (Simple Query Language) for databases is widely used and, if improperly integrated in to a website, is easy to exploit.
Example SQL Query Injection
This SQL query will return the password, login and full name for the email address provided by the user.
SELECT passwd, login_id, full_name | <= Fields to return from query |
FROM members | <= Table to search |
WHERE email = ‘$USER_INPUT@EMAIL_ADDRESS`; | <= What to search for |
Suppose the user enters something other than an email address such as:
USER_INPUT => “ x'; DROP TABLE members; -- “
SELECT passwd, login_id, full_name | <= Fields to return from query |
FROM members | <= Table to search |
WHERE email = ‘x'; DROP TABLE members; --`; | <= Extra commands |
The first part of the user input “x’;” terminates the original SQL query searching on “x” as the email address. The second part “DROP TABLE members; --” will delete members database!
While this is an extreme and simple example, it demonstrates the ease and power of an injection attack. To prevent this, all input from the user must be checked for the special characters such as the single quote, semi-colon and other characters which have special meanings in SQL. These characters must either be removed from the input or escaped. Escaping the characters leaves them in the user input but prevents them from being recognized by the SQL server. How the characters are escaped depends on the programing language being used.