Monday, December 14, 2015

SQL Injection

 Sql injection occur when untrusted data is sent to an interpreter as a part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization

Why SQL injection matters

  • Top  security threat 
  • Easy to discover
  • Easy to exploit
  • Severe impact (It can even destroy a database or get sensitive information )

Executing a SQL injection attack

  • Intruder sends a request as part of query or command to a website
  • The query is sent to the web server
  • The query passes through the firewall and hits the database
  • Confidential data is retrieved from the server and data is sent back as response to the intruder

Example of sql injection

Sql injection based on 1=1 always true

SELECT * FROM Users WHERE UserId = 10 or 1=1

No comments:

Post a Comment