Skip to content

SQL Injection

Injection comes in at Number 1 of the OWASP top 10. Meaning it is a significant threat to systems. An Injection based attack is were an attacker sends data to a service, in an attempt to change its behaviour. For example, with database injection, we cold modify a queries behaviour through the parameters we send.

This week we will be looking at Database Injection one of the most common and well known forms1

SQL Injection (SQLi) is another vulnerability in the OWASP top 10. Like many of the web vulnerabilities, SQLi comes from the designer ignoring Rule #1 and trusting the users input. The concept behind SQLi is to manipulate a database query on the server, to make it show additional information.

We will cover some basic SQL concepts, with a focus on the MySQL / Maria DB, before seeing how we can use this for SQLi. We will also look at how we can use SQLi for bypassing Login pages.

We will also take a look at injection for other forms of databases. NoSQL databases have become popular for storing information, and dispute the claims of the designers, are not invulnerable to this style of attack2

Important

We will be using the web module to give you an introduction to the topic, In the Practical Pen-testing module, we will go deeper with SQLi, and look at some more advanced ways of using the attack to gain access to a server.

Question of the Week

Discuss

It always amazes me that SQLi is still in the Top 10.

While I accept that dealing with user input is incredibly complex, dealing with SQL based input is a well known problem, and we have had "fixes", for example parameterised queries, for it for a long time. This makes it a lot less complex to resolve that other forms of injection such as XSS.

I appreciate that there are bugs in parameterised queries, or ORM based systems. However, while they can be wide reaching, they are pretty rare.

What are your views on this? Is it a problem we are ever going to solve. Why don't people make use of the "safe" way of doing it.

  1. There are other forms of Injection, for example Template Injection, or even XSS (which is its own topic). However, SQLi is a big enough topic that that we will cover the other forms in the coming weeks. 

  2. Although, I will admit that they are 100% safe from SQL injection (as they don't use SQL). Its amazing how people trust the usual Weasel words from marketeers. 

Back to top