Critical Security ReportFor

ACME Retail Testing Website

SQL Injection VulnerabilityA Brief Demonstration

September 27, 2009.

Beta 1005 testing begins

Testuser

**************

Your Time is running out!

Time Remaining

12:37:59Click here to pay

Could this really happen?

YES !!

Then How?

Standard Query Language (SQL) Injection

What is SQL Injection?

•SQL is a language for communicating with databases

•SQL injection is a database vulnerability

•Allows malicious users to trick a web server to:•Gather information•Modify tables•Run system commands•Upload files

How does it work?

t1.acme.com Data Base

Server

Firewall

Network Security Controls

SQL injection over HTTP

Database returns

Account Passwords

Real example: password capture

Proliferation: The whole network is at risk

sql.acme..comUpload files

Scanning, password cracking

Unauthorized web content

t1.acme..com

Remediation

• Immediate– Validation checks on login script– Remove error codes– Audit the database and surrounding systems

• Long Term– Develop SQL hardening standards