Secure Programming of Web Applications: SQL Code Injection
We can read about numerous successful attacks on well-known web applications on a weekly basis. Reason enough to study the background of "Web Application Security" of custom-made / self-developed applications - no matter if these are used only internally or with public access.
This is an excerpt from the book "Secure Programming of Web Applications: Web Application Security for Software Developers and Project Managers", also available as eBook
A corresponding online (video) training course exists: Online Course 'Web Application Security', also available on Udemy, and on request as HTML5/SCORM/Audio comment version
Description
Users provide input data to a web application. This data is processed at the backend within SQL statements or NoSQL queries. A famous example would be a search function, but in general all user data is relevant here – it could also be a username or password (compare database queries for authentification).
When this user data is processed unfiltered as string within a statement, attackers could be able to alter the statement code itself and execute this at the backend. This might lead not only to unintentional data exposure but also to unintentional data or database modifications.
Simplified Code Sample including Security Vulnerability:
// (Java)
//
// Transfer of user input through framework/servlet/JSP/CGI
// ...
// Building database connection
// ...
Statement stm = con.createStatement();
stm.executeUpdate("UPDATE Table_User SET Password=’" + strInpPasswordNew
+ "’ WHERE (Name=’" + strInpUsername + "’) AND (Password=’"
+ strInpPasswordOld + "’);");
→ Explanation: For instance, an input string like "Password123’;--" (without quotation marks) causes overwriting all passwords in the table, because in SQL (not true for all DB systems) "--" starts a code comment so that the rest of the statement is simply ignored.
Secure Programming:
A strict separation of database commands and user inputs has to be implemented. For this purpose, well-established programming constructs have to be used. Own "filter methods" should never be used.
Example:
// (Java)
//
// Transfer of user input through framework/servlet/JSP/CGI
// ...
// Building database connection
// ...
PreparedStatement pstm = con.prepareStatement(
"UPDATE Table_User SET Password=? WHERE (Name=?) AND (Password=?);");
pstm.setString(1, strInpPasswordNew);
pstm.setString(2, strInpUsername);
pstm.setString(3, strInpPasswordOld);
pstm.executeUpdate();
→ In this example so called Prepared Statements have been used:
- System-inherent separation of SQL commands and user inputs
-
Independent of the database system
→ Alternative: "Stored Procedures" on the database system level! - Included in all popular languages and systems, e.g.: Java, Perl, Microsoft ADO.NET, ...
- Similar procedures/APIs in NoSQL systems (less standardized)
The API documentation of each programming environment contains further details about the corresponding application.
Keywords
Secure Programming, Web Applications, Web Application Security, Software Developing, Project Management, Security Awareness
Categories: IT Security Background articles Development/Java
Comments
Post your comment
Share
If you like this page, it would be a great thing if you share it with others:
reddit
Digg
StumbleUpon
XING
WhatsApp
Telegram