Haking has never been my interest, but as a programmar, we should be aware of various hacking techniques, to make our code- safe from malicious attack, first I will touch SQL injection which is a technique to get safe information from your database by using some special characters in input.
SQL injection works on logical operations such as AND, OR, UNION, etc. If this technique is used properly, a malicious user can gain complete access to your server. If the application is using dynamic queries, it can create some real surprises.Vulnerability occurs as a result of faulty or incomplete validation of data provided by the user in web applications. It may be possible that the programmer is a newcomer and does not understand such attacks. A majority of programmers believe that the client or end-user will always give correct input to the application. They just check for some minor validations like empty string or null values, etc. but never think of the fact that a user could insert a specially crafted query which reveals all the important information on your machines.
query="select * from userinfo where username='"&strUser&"' and password='"&strPass&"'"
strCheck=GetQueryResult(query)
if strCheckheck=""
bool loginflg=False
else
bool loginflg=true
This query works fine, without any problems, if a user enters the correct characters. But suppose a malicious user enters the following:username=testpassword=' or 1=1--Now the above query will become:
query="select * from userinfo where username='test' and password='' or 1=1--'"
-- Symbol denotes the comment in SQL Server. Hence in the MS-SQL Server everything after the -- is ignored.So this query actually becomes something like this:
select * from userinfo where username='test' and password='' or 1=1
We can break this query into two portions, e.g.:
p=>username='test'
and
password=''q=>1=1
So we can write it as pVqFrom Boolean algebra we know that in V(OR) operation the result will be true if any of the value is true. As in the above code the value of q is always true, since 1 is always equal to 1, hence the value of this entire expression(pVq) is always returned as TRUE. Now, as discussed above, the pVq is always true and hence the query will select all the records in the current table. But generally a programmer takes one record for login and hence the username becomes the username of the first record. Hence on executing the above malformed query a malicious user can bypass authentication mechanisms of the web application. This is only one thing among several endless options that an intruder can use. By using specially crafted query a user can retrieve the entire database schema of your application or the user can upload/download any file or even gather any other information such as credit card numbers stored in the database, delete the user, add a new user, etc.
query="select * from userinfo where username='"&strUser&"' and password='"&strPass&"'"
strCheck=GetQueryResult(query)
if strCheckheck=""
bool loginflg=False
else
bool loginflg=true
This query works fine, without any problems, if a user enters the correct characters. But suppose a malicious user enters the following:username=testpassword=' or 1=1--Now the above query will become:
query="select * from userinfo where username='test' and password='' or 1=1--'"
-- Symbol denotes the comment in SQL Server. Hence in the MS-SQL Server everything after the -- is ignored.So this query actually becomes something like this:
select * from userinfo where username='test' and password='' or 1=1
We can break this query into two portions, e.g.:
p=>username='test'
and
password=''q=>1=1
So we can write it as pVqFrom Boolean algebra we know that in V(OR) operation the result will be true if any of the value is true. As in the above code the value of q is always true, since 1 is always equal to 1, hence the value of this entire expression(pVq) is always returned as TRUE. Now, as discussed above, the pVq is always true and hence the query will select all the records in the current table. But generally a programmer takes one record for login and hence the username becomes the username of the first record. Hence on executing the above malformed query a malicious user can bypass authentication mechanisms of the web application. This is only one thing among several endless options that an intruder can use. By using specially crafted query a user can retrieve the entire database schema of your application or the user can upload/download any file or even gather any other information such as credit card numbers stored in the database, delete the user, add a new user, etc.
However when it comes to me, SQL injection can't harm my code as right from my first project, I'm in the habit of writing stored procedure which are fail safe from such attacks.
No comments:
Post a Comment