Is Your SQL Server Susceptible to SQL Injection Attacks
If you are a Web site developer or a QA tester, you know how difficult it is to test against SQL Injection attacks.
SQL Injection is an attack on a Web application that passes (“injects”) unauthorized SQL query/commands into a command stream by talking advantage of input that isn’t validated, mainly from Web sites. Many Web pages take parameters from users through input form fields. By using those parameters to build an SQL string, a hacker can send various types of commands and queries to a SQL Server running the data access for the Web site.
For example, a basic HTML form might have two input fields to allow users to log in to a Web site with a username and password. If the database query that looks up the information relies on the user’s input for its variables, without validating that input, the database can be compromised by adding a string to the password input field.
WHERE username = ‘username’
AND password = ‘password’;
WHERE username = ‘username’
AND password = ‘password’ OR ‘x’='x’;
Normally, the query is meant to look up ‘password’ and return true or false, but now the ‘x’='x’ part of WHERE will return true and allow a hacker to bypass the login whether or not the password is correct.
For more information on SQL Injection see www.acunetix.com/websitesecurity/sql-injection.htm.
Be aware that huge losses have occurred due to SQL Injection attacks. GUESS?, Inc. (the clothing manufacturer) and PetCo.Com have fallen victim to SQL Injection attacks. In February 2002, the GUESS? Web site was compromised by a SQL Injection attack that netted attackers an unknown number of customer credit card numbers. For information about these attacks, see www.securityfocus.com/news/6194.
Now that you know how vulnerable a Web site can be to a SQL Injection attack, you should also be aware that it is very difficult to test against SQL Injection, as there are many objects to test. For example, let us assume that you want to test a SQL Injection attack against a customer registration page. As you can imagine, because there can be a lot of text boxes to test, it can quickly become a very boring and repetitive task. Multiply this by the many different forms that may exist across a Web site.
Acunetix Web Vulnerability Scanner (WVS) allows you to test your Web sites automatically for vulnerabilities. For this review I tested only its ability to find applications that were susceptible to SQL Injection attacks, which it did quite well. WVS also checks against these other Web attacks:
- Cross Site Scripting (also known as XSS or CSS): Generally occurs when a dynamic Web page gathers malicious data from a user and displays the input on the page without it being properly validated.
- CRLF Injection: Occurs when a hacker manages to inject CRLF commands into the system.
- Directory Traversal: Accesses restricted directories and executes commands outside of the Web server’s root directory using an HTTP exploit.
- Authentication Hacking: Accessing whatever privileges the administrator has assigned to a user by breaking into the system and proving to the application that one is a known and valid user.
- Google Hacking: Finding exploitable targets and sensitive data by using search engines.
Version and Configuration
This review was done using the following software and hardware configuration:
- Operating System: Windows 2000 Advance Server Service Pack 4.
- SQL Server 2000 Service Pack 4.
- Internet Explorer 6 SP 1.
- Acunetix Web Vulnerability Scanner 3.0 (Build 20051122).
- Processor: Intel Pentium CPU 2.80 GHz.
- Memory: 512 MB.
- Windows 2000/XP or Server 2003.
- Internet Explorer 5.1 or Higher.
- Microsoft SQL Server (7 or above) or Microsoft Access, if database is enabled.
During installation, you will have to decide whether to enable database support. Enabling this option will allow you to store scan results in a SQL Server or Access database. You can enable, disable or change the type of database later in the configuration options.
WVS crawls your Web site and attacks your Web applications automatically to sniff out vulnerabilities. It can scan many different types of Web pages and files on all types of Web servers. You can set file type inclusions and exclusions in the options.