Thursday, May 22, 2008

What's SQL Injection? Some new drug or something?

In a nutshell, "SQL injection" is a way to hack into a website, break it, or otherwise make a big mess of it. SQL is a database language, that uses statements like INSERT, DELETE, and UPDATE.

Think of SQL injection as analogous to Microsoft's buffer overflow problems (you know those windows updates that you get at 3AM every morning- a lot of 'em fix Microsoft's failure to properly handle buffer overflows) .

So both buffer overflow and SQLinjection happen when you put a bunch of extra stuff into a URL in your address bar, in such a way that it gets dumped onto the server and actually runs the words you put in the URL.

For example, http://crockettdunn.blogspot.com/?andDeleteAllOfCrockettsBlog

Obviously it's not that simple, but that's the idea.

"But Crockett," you ask, "why do I care about SQL injection?"

See below:
from the article, link to article: http://msdn.microsoft.com/en-us/library/ms998271.aspx:

See SQL injection attacks on the rise During the past few months, SQL injection
attacks have been used to break into hundreds of thousands of Web sites powered
by Microsoft's Internet Information Server (IIS) and SQL Server. The attacks
pass unauthorized SQL queries to backend database servers, where they perform
any of number of actions, such as deleting entire databases or tables and
modifying various types stored data, including text and HTML.Microsoft, SANS, Shadow
Server
, Trend
Micro
, F-Secure, and
numerous other organizations have written about the ongoing problem, which has
been occurring since at least last March. In a nutshell, the bad guys are
exploiting flaws in ASP.NET applications to inject unwanted HTML code into
database records. That HTML eventually winds up in Web pages. When you browse to
the page, the HTML code tries to exploit security vulnerabilities in browsers
and related tools to install a variety of malware onto your PC.These attacks are
possible because of security bugs in various ASP.NET-based applications.
Apparently, many developers have overlooked the need to properly sanitize input
supplied by Web users.For example, a Web form might ask people to enter their
name and e-mail address to sign up for a newsletter. Along with that
information, a hacker could add some special characters and a valid SQL query
statement. If that input isn't properly sanitized before it's sent to the SQL
server, the server might be tricked into executing the query supplied by the bad
guy.The solution is to audit your Web applications to make sure they sanitize
user-supplied input. Microsoft's article
entitled "How To: Protect From SQL Injection in ASP.NET" explains the required
steps.