A code injection attack occurs when an attacker inserts malicious code into user input fields. If the application lacks proper input validation, this code is executed by the application, leading to unintended behavior or security breaches.
SQL is the standard language used by applications to interact with databases. Applications take user input and use it to construct SQL queries that retrieve or modify data in the database.
In a vulnerable application, user input is not properly sanitized. An attacker can inject malicious SQL commands into a form field. These commands are then executed by the database as part of the SQL query.
Example:
Normal query:
SELECT * FROM users WHERE name = 'Professor';
Injected query:
SELECT * FROM users WHERE name = 'Professor' OR '1'='1';
Because '1'='1' is always true, this causes the database to return all records.
SQL injection can often be performed using a web browser, without any additional tools. Attackers simply type SQL statements into fields meant for user input.
OR '1'='1'
This is a red flag indicating the application may be vulnerable.
Application: WebGoat — intentionally vulnerable for educational purposes
Fields:
- Employee name: Smith
- Transaction Authentication Number: 3SL99A
Input:
- Name: Smith
- Auth Number: 3SL99A
Action: Click “Get Department”
Result: Shows department data only for Smith and that specific code
Input:
- Name: Smith
- Auth Number: ' OR '1'='1
Result: Returns all records from the database
SQL injection is a critical vulnerability. It highlights the importance of:
These are essential to protecting applications from SQL injection and other forms of code injection.