SQL Injection
Injection comes in at Number 1 of the OWASP top 10. Meaning it is a significant threat to systems. An Injection based attack is were an attacker sends data to a service, in an attempt to change its behaviour. For example, with database injection, we cold modify a queries behaviour through the parameters we send.
This week we will be looking at Database Injection one of the most common and well known forms[^otherInjecton]
SQL Injection (SQLi) is another vulnerability in the OWASP top 10. Like many of the web vulnerabilities, SQLi comes from the designer ignoring Rule #1 and trusting the users input. The concept behind SQLi is to manipulate a database query on the server, to make it show additional information.
We will cover some basic SQL concepts, with a focus on the MySQL / Maria DB, before seeing how we can use this for SQLi. We will also look at how we can use SQLi for bypassing Logins, and enumerating the contents of a database.
We will also take a look at injection for other forms of databases. NoSQL databases have become popular for storing information, and dispute the claims of the designers, are not invulnerable to this style of attack2
Topics for the Week
- SQL databases
- SQLi
- SQL Login Bypass
- Manual SQL Enumeration
- No SQL Injection
- SQL / NoSQL challenges
- SQLMap
Question of the Week
Discuss
It always amazses me that SQLi is still in the Top 10.
While I accept that dealing with user input is incredibly complex, dealing with SQL based input is a well known problem, and we have had "fixes", for example parameterised queries, for it for a long time. This makes it a lot less complex to resolve that other forms of injection such as XSS.
I appreciate that there are bugs in parameterised queries, or ORM based systems. However, while they can be wide reaching, they are pretty rare.
What are your views on this? Is it a problem we are ever going to solve. Why don't people make use of the "safe" way of doing it.
-
There are other forms of Injection, for example Template Injection, or even XSS (which is its own topic). However, SQLi is a big enough topic that that we will cover the other forms in the coming weeks. ↩
-
Although, I will admit that they are 100% safe from SQL injection (as they don't use SQL). Its amazing how people trust the usual Weasel words from marketeers. ↩