SQL Injection
Detected by Syhunt: Yes (locally, remotely)
Type: Injection Flaw
Also Known As: SQLi
CWE: 89
Many web sites contain flaws that may allow attackers to carry out SQL injection attacks. The issue happens when a script fails to properly sanitize user-supplied input to parameters. This may allow attackers to inject or manipulate SQL queries in the back-end database.
Detailed Information
- Protecting Against SQL Injection Attacks - DOE-CIRC
- Attack Methodology Analysis: SQL Injection Attacks - DOE
- Minimize the Effectiveness of SQL Injection Attacks - NSA
- SQL injection – How to avoid it
- SQL Injection - OWASP
- SQL Injection - PHP.Net
- SQL Injection - WASC
- http://en.wikipedia.org/wiki/SQL_injection
Examples of vulnerable code
Below you can find very basic examples of SQL injection vulnerabilities.
PHP
<? $username = $_GET['username']; $result=mysql_query('SELECT * FROM users WHERE username="'.$username.'"'); ?>
Syhunt scan results for this example code:
Found: 1 vulnerability In /sqli_basic.php (source code, locally), affecting parameter "username", on lines 2,3: Possible SQL Injection Vulnerability
ASP
<%@Page Language="C#"%> <%@ Import NameSpace="System.Data" %> <%@ Import NameSpace="System.Data.SqlClient" %> <% // Dynamic SQL SqlDataAdapter myCommand = new SqlDataAdapter("SELECT au_lname, au_fname FROM authors WHERE au_id = '" + Request.QueryString["SSN"] + "'", myConnection); // Stored Procedure SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" + Request.QueryString["SSN"] + "'", myConnection); %>
Syhunt scan results for this example code:
Found: 1 vulnerability In /sqli_ms.aspx (source code, locally), on lines 6,8: Possible SQL Injection Vulnerability
Cheat Sheets
Page last modified on August 20, 2013, at 05:03 PM