Anatomy of a SQL Injection AttackOctober 8, 2008 – 6:21 PM
While there are a number of security risks in the world of electronic commerce, SQL injection is one of the most common Web site attack techniques used to steal customer data such as credit card numbers, hold customer data hostage by encrypting it or destroy data outright.
Where a Web server only understands and speaks the HTTP protocol, a database’s native tongue is Structured Query Language (SQL), which is essentially a set of command statements that instruct a database to execute specific actions. Every database server has a similar series of commands to query its tables, narrow down results to a few specific entries, and combine information from one table to another.
Here is an example SQL query:
SELECT — FROM users WHERE Email = ‘” + Email + “‘ AND Password = ‘” + Password + “‘;
The WHERE specifies a condition, that an e-mail address and password combination match data present in the “users” table. When this command is given to the database server, it returns true if a match is found and a false if there is no match.
When clients send data on the Web, they use URLs and forms to assemble the database query statements. The following URL represents an example login page for a Web application:
GET /shopping_cart/[email protected]&Password=$ecret123 HTTP/1.1
This URL shows that the destination application is a Microsoft ASP page and it is accepting two parameters, one called “Email” and the other called “Password.” If the user credentials are correct then the result of this query will provide response data that represents a successful authentication and will be used to allow the client to proceed to the corresponding Web page.