SQL Injection

What is SQL injection?

SQL injection occurs when a malicious attacker submits a database SQL command which is then executed by the web application. This results in a security vulnerability that can expose the back-end database. This is typically due to improper validation or encoding procedures. The specific commands entered by a malicious attacker tricks the web app into executing unmediated commands and data changes. During a successful SQL injection, the SQL interpreter is unable to distinguish between the intended commands and those implemented by the attacker. By utilizing this trickery, a malicious attacker can exploit vulnerabilities and gain unauthorized access to confidential areas of the network. Using SQL injection, the attacker can then create, delete, read, update, and edit data. This is typically done in order to gain access to sensitive data such as credit card numbers, social security numbers, financial information, contact information, company information, company assets and much more.

Components of an SQL Injection Attack

  • A malicious user develops code that is constructed to trick the SQL interpreter into executing an action it would not normally perform.
  • Data entered by the malicious user is sent to the SQL interpreter.
  • The SQL interpreter analyzes the input data, but sees it as a legit command.
  • One the action has been performed, the malicious user may have full access to sensitive company data.

See SQL Injection Cheat Sheet, Attack Examples & Protection at Vulnerability Knowledge Base.

The following two tabs change content below.

tal

Latest posts by tal (see all)

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.