SQL Injection is essentially user input, in the form of SQL code, that is executed on the database server. The lab demonstrated here shows that by injecting ' or '1'='1 into the password field, the attacker gains access into the website without any credentials. This is because the program code executes the SQL statement embedded with the attacker's input. The result is the following: SELECT * FROM tblUsers WHERE UserName = 'any arbitrary text' And Password = ' ' or '1'='1', which will always be true allowing the attacker to gain access. The security implications are huge once exploited.
The website created for demonstration of this lab queries the users table to verify the username and password to grant or restrict access. Performing the exploit outlined above actually returns the first row in this table, which happens to be the site administrator account. If the website had administration functionality built in, e.g., creating users, the attacker would have full access to it. Similarly, if the account under which the SQL is executed has sufficient read/write access to the database, the attacker would be able to inject a drop table command to cause data loss, 1'; DROP TABLE tblUsers. There are a number of ingenious ways to exploit this further.
Fortunately, prevention of SQL Injection attacks is pretty easy and straight forward. A few ways are to use parameterized statements, user input limitation and user input validation. In our specific example, we could use Linq to prevent these types of attacks. Acting as an object relational mapper, Linq creates data classes for each table, view, stored procedures and more. Linq executes SQL parameterizing all user input making it invulnerable to this type of attack. Review the program code in default.aspx.cs file provided. The SQLInjectionProtected() method demonstrates how Linq could be implemented.
Download the source code here: SQLInjectionWebsite.zip.
Download the source code here: SQLInjectionWebsite.zip.
Asp.net 2.0 (Web Framework)
.NET Framework 3.5
C# (Programming Language)
IIS 6 (Web Server)
MS Sql Server 2005 (Database)
.NET Framework 3.5
C# (Programming Language)
IIS 6 (Web Server)
MS Sql Server 2005 (Database)
No comments:
Post a Comment