SQL Injection

Behind the scenes of a Web-based email application is a database that stores the messages and allows each user to see his or her emails, folders, and address books. However, if attackers can fool the application into giving them direct access to the database, all the information stored in the database can be compromised. This can allow an attacker to not only read email, but also alter or even delete the messages.

How the Attack Works

All the attacks in this blog could have been conducted with a technique called Structured Query Language (SQL) injection. Just as cross-site scripting injects HTML and JavaScript into an HTML page, SQL injection inserts SQL code into an application's database code. SQL is the language used to interact with most databases, where most, if not all, Web-based email applications store their information.

Imagine that a Web-based application has a login screen where users are required to supply a login ID and password to access the system. Sitting behind this login screen is a database table containing all users of the system. The SQL code that looks up users might look something like this:

"SELECT * FROM UserTable WHERE Login = '" + strLogin + "' AND
Password = '" + strPassword + "'"

In this case, the strLogin and strPassword variables contain the login ID and password the user enters. This SQL code is similar to what's used in the vast majority of Web applications, with the biggest difference being the naming of the table, fields, and variables. The way this code is intended to work is that when a user supplies his login ID jeremy and his password mypassword, the values he enters are injected into the SQL command and passed to the database:

SELECT * FROM UserTable WHERE Login = 'jeremy' AND Password = 'mypassword'

If there's a user with the login ID jeremy and the password mypassword, the user is authenticated and allowed into the system. This is the intended usage of the system and how most users would interact with the application.

The problem arises when an attacker accesses the same application. Rather than play by the rules, the Web application attacker attempts to use the application against itself. If proper network security measures have been taken, the attacker has no access to the database containing the user information. However, to allow the user to authenticate and log in to the system, the application does have access. If the attacker can manipulate the application into doing the work for him, he might be able to access the database through the application, circumventing the network security measures.

SQL injection is a powerful technique that makes it possible for attackers to quickly and easily gain access to sensitive information. Without the proper safeguards in place, applications that are vulnerable to SQL injection essentially place their databases directly on the Internet, giving anyone who stumbles across the vulnerability access to the information stored within.