31 MAY 2014
Injection attacks allow a web client to pass data through the web server and out to another.For example SQL Injection attack,specially crafted SQL questions or commands are passed through the web interface and the database is asked to perform functions out of bounds of your authorization.This weakness exists when there is no validation of input while a database query is made via the Internet.The worst thing is that SQL attacks,like most other input validation attacks,
can be executed easily just with the help of a browser.Many websites have coughed up credit card and social security card information to hackers who have taken advantage of Injection attacks.It is not our intention to describe the ways of find the vulnerabilities for Injection attack but, failure to realize the power of Injection attacks and to review your systems for the likelihood of being exploited may result in the loss of critical and sensitive information.
The first step for an SQL Injection attack is to find a vulnerable target.Attackers would be on the alert for online forms such as login prompts search engines,guest books,feedbackforms,etc through which users submit data to the remote system.Another potential target that attackers can use would be any references to dynamic pages or scripts like ASP,PHP,CGI and their like.The HTML code reproduced below is a vulnerable target for an SQL Injection Attack because it lets the user submit information and also refers to an ASP file:
< form action ="scripts/login.asp" method ="post" name="loginform">
<input type ="text" name ="username" value="username"></input>
<input type ="password" name="password" value="password"></input>
Validate all input using positive validation methods where by you reject any input that does not match the expected input,such as values,length and character set.
It is much better to use a proactive approach to input validation attacks.Rather than looking at a reacting to any problems,it is for more effective,cheaper,easier and faster to look for and remove any loopholes in input validation at the development stage.
By filtering out,all special characters such as quotation marks,semicolon,slashes,backslashes etc.from user input cookie files and URL variables one can protect the system from SQL Injection attacks such filtering out of characters makes it much difficult for attackers to carry out SQL Injection.
Perform a code review if possible for all calls to external resources to determine whether the method could be compromised.
Commercial tools are available that may find injection vulnerabilities such as Acunetix,Burpsuite etc.Acunetix (www.acunetix.com) tools are powerful and may find well-known attacks,but they will not be as helpful as performing a solid code review.
Uncovering illegitimate records bypassing security features,carrying out malicious codes on the remote victim system-all are possible for an attacker who has located a vulnerable SQL Server.No tool can review and discover every possible Injection attack on your web application,but you still can defend your system against susch attacks by:
Another tool that may be helpful is Burp Suite from www.portswigger.net. Burp Suite is a powerful tool and should be part of your toolset.
Always keep in mind that these tools may find well-known attacks,but they will not be nearly as good as performing a solid code review.