Security Testing 简明教程

Security Testing - Injection

Injection technique consists of injecting a SQL query or a command using the input fields of the application.

Web Application - Injection

A successful SQL injection can read, modify sensitive data from the database, and can also delete data from a database. It also enables the hacker to perform administrative operations on the database such as shutdown the DBMS/dropping databases.

Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.

sql injection

Examples

The application uses untrusted data in the construction of the following vulnerable SQL call −

String query = "SELECT * FROM EMP WHERE EMPID = '" + request.getParameter("id") + "'";

Hands On

Step 1 − Navigate to the SQL Injection area of the application as shown below.

sql injection1

Step 2 − As given in the exercise, we use String SQL Injection to bypass authentication. Use SQL injection to log in as the boss ('Neville') without using the correct password. Verify that Neville’s profile can be viewed and that all functions are available (including Search, Create, and Delete).

Step 3 - 我们可以注入 SQL 以便通过将参数发送为 'a' = 'a' 或 1 = 1 来绕过密码

sql injection2

Step 4 - 在利用之后,我们可以以 Neville 身份登录,如下所示,他是管理员。

sql injection3

Preventing SQL Injection

有很多方法可以防止 SQL 注入。当开发人员编写代码时,他们应确保相应处理特殊字符。OWASP 提供了反作弊秘籍/预防技术,这绝对是开发人员的指南。

  1. Using Parameterized Queries

  2. 转义所有用户提供的输入

  3. 为最终用户启用数据库的最小权限