I just came across this awesome strip.
Yeah! It’s XKCD. And this one is really cool. Well, this highlights on an internet security vulnerability, SQL Injection.
Well, this is a bit technical, and (may) requires knowledge of SQL.(Even if you don’, go ahead, for it’s readable by one who can understand English!). And after reading this, you would have logged on to a website, without even registering for the same.
What is SQL Injection?
“SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data.”
What is SQL Query?
“An SQL query is a request for some action to be performed on a database.”
We’ll be dealing with the website. www.nptel.iitk.ac.in. Now to gain access, you’ll have to register with the website. What if you directly want to gain access? SQL Injection!
I’ll be showing you how to bypass authentication via SQL Quries.
So, click on Login and you get this page:
Without going into details as to what goes when we create a login application for a website, you can for now satisfy yourself considering that when a person registers, his username, password and other details are stored as a table in the database. When the user wishes to login, he enters username and password, the system checks is the particular username exists in the database and if the password given matches the one in database, you gain access to your account.
Now, lets see the SQL query at the backhand.
SELECT * FROM users WHERE user=’+username+’;
(“users” is my table name. I want to retrieve all the data(that’s why the “*”) associated with the one having username provided by the person as the user. The database return Boolean True if it it exists.)
What if I enter the username as: ‘or’1′=’1
The system will always return true as the query becomes:
SELECT * FROM users WHERE user=’ ‘or’1′=’1 ‘;
This will always return a true value. Do the same with the password field. I won’t write down the backhand query here. But whatever be the case, it will return True if I mention the above query.
So, what you should now do is in the form for entering username and password, write ‘or’1′=’1at both places and click enter.
What do you see? Woah! Congratulations. You just hacked into a users account. You gained access to the first member of the table.
So, this security vulnerability is what SQL injection is. Advanced version of SQL Injection is also there, but I won’t discuss it here. I’m shocked how come a developer be laid prey to such a common attack whose prevention is just a few lines of code.
Now read the comic strip again.(The DROP command deleted the entire table). “Lean to sanitize your Database inputs”. Funny!
No comments:
Post a Comment