This post is part of a compilation talking about the ten most common security flaws for web applications. To see them all, click here.
What is an injection attack?
OWASP defines the SQL Injection flaws as
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
So, if your application uses untrusted data in the construction of SQL calls, like
String query = "SELECT * FROM accounts WHERE custID=" + request.getParameterId("id");
Or if your application is trusting blindly in frameworks, using queries such as:
Query HQLQuery = session.createQuery("FROM accounts WHERE custID=" + request.getParameterId("id");
Then your application is vulnerable to a SQL Injection Attack.
What can be the impacts of an Injection Attack?
They vary greatly from getting restricted information, to data loss or corruption, lack of accountability, or denial of access. It can, sometimes, lead to complete host takeover.
How can I protect my application from Injection?
The best way to protect your application is guaranteeing that all commands your interpreter is running are separating untrusted data from the command or query.
There are several ways to do that. You can use a parameterized API - just be careful with APIs like stored procedures - to avoid the use of the interpreter entirely, escape special characters using the specific escape syntax for that interpreter or even have a “white list” input validation. OWASP provides us some escaping routines as well as some white list input validation routines to use.
Comments