4 Tips for Stopping SQL Injection Attacks

You may find something similar to this in the HTML (Note that in the following examples, inconsistencies and errors have been introduced to prevent them from being used to launch a valid attack. Examples are for illustrative purposes only):

Anything between the two "FORM" tags could prove to be useful when building an exploit.

So, how do you test if the page is vulnerable? One trick is to try to fool the page with a single quote -- for example, you could enter into the name field hello' or 1=1-- Note the single quote at the end of the word hello. So your input would look like this:

Login: hello' 1=1-- Password: hello' 1=1--

Another method is to try to hijack the page by modifying the URL: For example, you would input into your browser the following address:

http://website.com/locate.asp?login=hello' or 1=1--

By putting an address with the input data into your browser, the browser forces the ASP page to process your input of hello' or 1 = 1--.

Now some of you may ask what is the significance of ' or 1=1--. Simply put, that is the command being injected into the ASP script, which can bypass the login script and then display additional information that would not normally be available.

In other words, if you are familiar with SQL queries, you may have access to variables contained with in the SQL Table. That information could be used to build new queries, such as:

SELECT * FROM users WHERE Names='Smith' That command would load values into a variable of our choosing from the SQL Table.

Going one step further, we could add

or 1 = 1--

to the command string and the SQL server will return all information in the table, regardless if the Names variable is equal to Smith.

So what does all this mean? If a hacker is able to get to this point and gets results, then the SQL server is definitely vulnerable. Depending upon the SQL server technology in use, a hacker could execute several different commands. Most hackers will use the EXEC command to execute a task to get output from the SQL Server, which they can redirect to a shared folder by IP address.

So with the vulnerability uncovered and access to the SQL Tables, any hacker can simply deliver all of the data in a SQL Database to a destination of their choosing.

Armed with an understanding of how SQL injection attacks work, administrators can take steps to prevent those attacks. In many cases administrators will have to work with their software and Web developers to implement some basics rules that offer additional protection.

1. Employ filters that prevent characters like single or double quotes, backslashes, colons and so on from being passed from a web form into the SQL Server.

2. Only allow numeric values that are integers to be passed to the SQL Server, that can be handled by simply using the ISNUMERIC command to validate the input.

3. Delete stored procedures from the SQL database that are not needed. Examples are xp_sendmail or xp_cmdshell, which are not normally needed, but can be used by hackers to send information or gain access.

4. Check privileges behind SQL commands, such as Startup and RUN, on the SQL Server Security TAB (for Microsoft SQL Server) and make sure the appropriate privileges are assigned for your environment.