SQL injection attack

SQL injection attack

Introduction:-

    • It involves inserting SQL Queries through user input to manipulate the database.

      • Successful exploitation can result in:

        • Reading sensitive data from the database.

        • Modifying database entries through insert, update, or delete operations.

        • Executing administrative tasks on the database, such as shutting down the DBMS.

      • SQL injection attacks are a subset of injection attacks where SQL commands are injected into data inputs to manipulate the execution of predefined SQL commands.


Threat Modeling

    • Allow attackers to spoof identity, manipulate data, Repudiation vulnerabilities, data exposure, data unavailability, Administrator privileges, etc.

      • SQL Injection is common in PHP and ASP apps due to older interfaces. J2EE and ASP.NET apps are less susceptible due to stronger programmatic interfaces.

Description

  • These attacks occur when:-

    • Unintended data enters from an untrusted source

    • The data is used to dynamically construct a SQL query.

  • Confidentiality: Loss of sensitive data due to SQL Injection vulnerabilities.

  • Authentication: Risk of unauthorized system access via weak SQL commands for user authentication.

  • Authorization: Potential manipulation of authorization information stored in SQL databases.

  • Integrity: Risk of data alteration or deletion through SQL Injection attacks.


Example

<?php

$username = $_POST['username'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";

$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {
    echo "Welcome, $username!";
} else {
   echo "Invalid username or password!";
}

Suppose the attacker enters the following in username field,

'' OR '1'='1'

The SQL query will then become,

SELECT * FROM users WHERE username='' OR '1'='1' AND password='$password'

Since '1'='1' always evaluates to true, the WHERE clause will always return all rows from the user's table, effectively bypassing the password check. As a result, the attacker can log in without knowing a valid username or password.