Post Fri Sep 22, 2006 3:02 pm

The Dangers of SQL Injection

Here's a good write up abour SQL injection from MSDN - UK:

Software developers, unfortunately, are no different from the rest of society. They can adopt the 'head-in-the-sand' mentality shared by us all. Yet, for one Active Server Pages (ASP) developer, Jonathan Tegg, a valuable but basic insight into the perils of insufficient security prompted a course of events that probably avoided an expensive day in court.




An invaluable demonstration taking a few hours away from his desk, Tegg attended an event designed to highlight the simplicity of hacking into a poorly protected Web site. "I thought: This is incredible. It really is as simple as they say," he says. The developer saw proof of how easy SQL Injection can be. The demonstrator added SQL code to a Web form input box and within a few clicks, gained access to the supporting database.

"So after I saw this guy and his demonstration, I went straight back to my desk and tried out what he'd done," says Tegg. The next few moments brought home the kind of shock that makes you promise always to take advice when it's given. "I loaded up the administration package for the site and thought: surely, it can't be that easy to hack into the system," he says. At first, it seemed he was right. He typed in the code in the username and hit the return button and got a message saying 'access denied'. Then he changed tactics. "I thought about it a bit more and imagined what other methods I might use. So this time, I typed in the code in the username and inputted some dummy text for the password and—low and behold—I was into the system." Frighteningly, this meant that Tegg would have been just three clicks away from accessing credit card information under standard processes. "I would easily be able to see billing orders, shipping addresses, and card details," he says.


For full story:
http://www.microsoft.com/uk/msdn/securi ... _tegg.mspx

Don
CISSP, MCSE, CSTA, Security+ SME