Week 11: SQL Injection Analysis and Related Article
Web application vulnerabilities are rampant and the most popular form of this style of attack is SQL injection. The attacker in this attack format will attempt to place data that is interpreted as instructions in common inputs. There are many goals associated with such an attack; attacker may use SQL injection to do a number of database exploitation all the way through circumventing authentication and finally gain complete admistrative control of the sought after databases from a remote server.
The reason why this style of attack is so effective is because SQL is the standard language for accessing databases. Moreover, majority of web applications today use some sort of SQL database to store data for the application.
Problems come up time and time again because strings are not properly escaped. Secondly, data types are appropriatly restricted and constrained. There are ways to prevent SQL injection but not eliminate. First, we will need to constrain data types (e.g. Integer data field should only accept integer value, etc…). Another way is to ensure that escape user input is eliminated if possible. Meaning that escaping the apostrophes and backslashes (e.g. ‘, \’, \, \\). Finally, I have also read that the best way is using prepared statements; although it was originally designed to optimize database connectors, a prepared statements can restrict separate user data from SQL instructions. In view of that, when one uses prepared statements, the user input will not be interpreted as SQL instructions.
Attackers used SQL injection flaw to attack Joomla. Within hours of discovery, release and patching of a critical vulnerability, malicious attackers began exploiting Joomla, a popular open-source content managment system. This SQL injection flaw found in versions 3.2 and 3.4.4 of Joomla could potentialy grant attackers full administrative access to any vulnerable site. This vulnerability was discovered by Trustwave researches. For more information on this article, please click on the link below.