Issuu on Google+

Security Testing – SQL Injection Now a day, Security Testing plays a leading role in developed software subjected to testing. SQL injection technique gains more importance, when Security testing is concerned. SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to server Many applications use some type of a database. An application under test might have some form of user interface that accepts user input that may perform some of the following tasks 1.

Show the relevant stored data to the user e.g. the application checks the credentials of the user using the log in

information entered by the user and exposes only the relevant functionality and data to the user 2.

Save the data entered by the user to the database e.g. once the user fills up a form and submits it, the

application proceeds to save the data to the database; this data is then made available to the user in the same session as well as in subsequent sessions These input fields are the entry point for the hackers to play with SQL injection. Some of the user inputs might be used in framing SQL statements that are then executed by the application on the database. It is possible for an application NOT to handle the inputs given by the user properly. If this is the case, a malicious user could provide unexpected inputs to the application that are then used to frame and execute SQL statements on the database. This is called SQL injection. The consequences of such an action could be alarming. The following things might result from SQL injection: 1. The user could log in to the application as another user, even as an administrator. 2. The user could view private information belonging to other users e.g. details of other users’ profiles, their transaction details etc. 3. The user could change application configuration information and the data of the other users. 4. The user could modify the structure of the database; even delete tables in the application database. 5. The user could take control of the database server and execute commands on it at will. Since the consequences of allowing the SQL injection technique could be severe, it follows that SQL injection should be tested during the security testing of an application. Important: The SQL injection problem should be tested only in the test environment. SQL injection might be possible in applications that use SSL. Even a firewall might not be able to protect the application against the SQL injection technique.


How to inject SQL attacks?


To start performing security testing for application against SQL attacks, one should look for the possible input entries, in which User can enter SQL commands. Examples would be Login Page, User Submission Forms, Search Fields, Comments Fields in Blogs, Forum Pages, sometimes even Email input fields


Start framing SQL commands, which might attack application by deleting entries, altering existing information, commands that retrieve database error which reveals some table information. Example: Entering a single quote (‘) in any textbox will encounters a database error, it means that the user input is inserted in some query which is then executed by the application

Few following inputs can be used in application, to see if they return database errors or produce reflective action in database

' having 1=1 --' or 1=1; drop table users; -'; shutdown with nowait; -'; exec master..xp_xxx; -'; exec master..xp_cmdshell 'iisreset'; -Important: During security testing, the tester should be very careful not to modify any of the following:

Configuration of the application or the server Services running on the server Existing user or customer data hosted by the application

Additionally, a security test should be avoided on a production system. The purpose of the security test is to discover the vulnerabilities of the web application so that the developers can then remove these vulnerabilities from the application and make the web application and data safe from unauthorized actions. Instead of manually testing whether the application is vulnerable to SQL injection or not, one could use a web vulnerability scanner that checks for SQL injection.


Security Testing – SQL Injection