Critical Security ReportFor
ACME Retail Testing Website
SQL Injection VulnerabilityA Brief Demonstration
September 27, 2009.
Beta 1005 testing begins
Testuser
**************
Your Time is running out!
Time Remaining
12:37:59Click here to pay
Could this really happen?
YES !!
Then How?
Standard Query Language (SQL) Injection
What is SQL Injection?
•SQL is a language for communicating with databases
•SQL injection is a database vulnerability
•Allows malicious users to trick a web server to:•Gather information•Modify tables•Run system commands•Upload files
How does it work?
t1.acme.com Data Base
Server
Firewall
Network Security Controls
SQL injection over HTTP
Database returns
Account Passwords
Real example: password capture
Proliferation: The whole network is at risk
sql.acme..comUpload files
Scanning, password cracking
Unauthorized web content
t1.acme..com
Remediation
• Immediate– Validation checks on login script– Remove error codes– Audit the database and surrounding systems
• Long Term– Develop SQL hardening standards