When applications use SQL queries to interact with database contain direct user input without performing any validation then there is a possibility for SQL Injection as the applications fail to distinguish between sql code and data values.
Example query for SQL Injection:
SELECT username, password FROM users_table WHERE username = '" +
userName + "' and password = '" + password + "'
For example if user inputs ' or'1'='1 for both username and password
fields in the above query then the interpreter will consider it as
sql code instead of data and execute sql query as the input '
or '1'='1 is always true.
The above query changes as following which is a true condition,
gets executed and allows the user to login with privileges of first
user account in the DB which is usually of an administrator.
SELECT username, password FROM users_table
WHERE username = ''or '1'='1' and password = ''or '1'='1'
of this weakness and alter the data in database, view data or even worse delete
existing data from database.
How to Fix SQL Injection:
#1. Perform white list input validation as it allows only trusted data to be entered into the application.
#2. Use Prepared Statements with bind variables as it distinguishes between code and data through use of methods such as setInteger(value), setString(value)
#3. Use Stored Procedures that do not construct dynamic sql queries
#4. Use least Privilege mechanism to avoid the damage potential in case of successful exploitation. For example create a first record in DB with least Privileges rather than administrator privileges to avoid damage potential in case an adversary were able to bypass login with a true condition.
Usually most security flaws occur in applications as the developers are unaware of the security weaknesses and build the application as per business requirement. It will be of great help if developers are trained on how to build secure software to avoid vulnerabilities in early stages of SDLC.
Hope this article provided some useful information on SQL Injection. Please share if you like it. Stay updated with the latest cyber security tip and tricks to get secured.