Minggu, 08 Juni 2014

Threat of SQL Injection

What is SQL injection ? SQL Injection is a code injection technique, used to attack data-driven application. in which malicious SQL statements are inserted into an entry field for execution. According to Open Web Application Security Project (OWASP) SQL injection is rated to be the top threat to web application.

By using SQL injection technique, a hacker can easily enumerate the target database to gain sensitive information such as username, password, etc. SQL injection is not always successful. Not all website is vulnerable to SQL injection. Some website with input validation in their form will not be easily injectable.

An SQL injectable website will result in following pages (or similar) when you input " ' " (Single Quotation Mark). This is the example of SQL injection vulnerable website :

This website do not have input validation in their log in form so when a " ' " (Single Quotation Mark) is inputed, the code will consider this input to be an SQL query which result in the above error page. 

This means the hacker can exploit the database and in worst case scenario the hacker can take the ownership of the website. 

With this SQL injection threat, it is highly encouraged for web developer to develop a web site with SQL injection defines such as :
- Input Validation in Log in Form
- Use Web Application Firewall
- Limit Database Privileges

Tidak ada komentar:

Posting Komentar