SQL Injection

From Embedded Lab Vienna for IoT & Security
Revision as of 20:20, 30 January 2020 by FElghamrawi (talk | contribs) (Created page with "== Summary == SQL Injection is a vulnerability, which can be found in applications, especially web applications. According to a study conducted in 2019 by OWASP, SQL injecti...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Summary

SQL Injection is a vulnerability, which can be found in applications, especially web applications. According to a study conducted in 2019 by OWASP, SQL injections count to the most common way for attackers to fetch sensitive data from a database. SQL injections are simply possible if SQL queries in the application provide results based on user input, while the user input is processed directly in the SQL query.

Functionality

SQL injections are basically possible if SQL queries in the application deliver results based on user input. The user input is processed directly by the SQL interpreter without changes or validation. In this case, the database cannot distinguish between malicious or good entries. In the business logic of the application, a query is used to retrieve the data of an user based on username and password. The username and password are filled in by the user via a a web form. The input goes directly into the query. An attack could look like this:

Step 1

SELECT * FROM Users WHERE name ='userName' and password='password'

Step 2

Make sure to read

  • War and Peace
  • Lord of the Rings
  • The Baroque Cycle

Used Hardware

Device to be used with this documentation Maybe another device to be used with this documentation

Courses

References

Retrieved from "https://wiki.elvis.science/index.php?title=SQL_Injection&oldid=2682"