Translate

Thursday, August 31, 2017

SQL(and other) Injection testing for beginners

I was testing a piece of our software the other day and came across this. When I first started it took me forever to figure out what was meant by this. Code injection doesn't necessarily have to be SQL that is being executed but can also be javascript or any other type of code that is put into a field in a program that is not supposed to take that kind of information.

What I saw the other day was placing javascript into the place where a name was supposed to be and what would happen is that the javascript would run when loading a page that had that information on the page. That would be a javascript injection attack.

The reason why it is called SQL injection is because at first it was people entering in SQL (the language of databases) in places that shouldn't have it and then they would have access to the database to do what they wanted with it.

"And thatsssss...bad?" (emperor's new groove) yes extremely they now have access to all information that is stored in your database they also have access to manipulate the tables how they want.

When testing for this one thing you want to do is to use different SQL commands in order to test a variety of possible attacks. Here are a few examples of SQL to test input areas of your program

"SELECT * FROM Xtable" Xtable = any table in your database; this tests basic keywords
add "or 1=1" to the previous statement to test against returning all rows in that table
Type text ";Drop Table X;" This will finish the search query and then drop a table in the database

These are just a few and these are only for the SQL based attacks there are other injection attacks like asp.net that also has vulnerabilities like this.

The javascript if you type <script> Javascript</script> into your input and it executes the javascript you have a vulnerability.

This is basic (very basic) idea of what javscript injection is and some basic things to how to test for it.

Here are a few pages that explain some more/different ideas on SQL injection.
https://www.w3schools.com/sql/sql_injection.asp
http://lazybatman.com/sql-injection-walkthrough/