In last tutorial, we discussed about SQL injection but in a different context. We also talked about different types of attacks that we need to keep in mind when we test the authentication or login process for an application. To get more information, please visit the following link:
All right. In this tutorial, we will focus on SQL injection and discuss different methods for checking whether an application is protecting against SQL injection or not.
Before moving further, let’s have a brief look at SQL injection:
SQL injection tests are performed to verify that you are able to run user-controlled SQL queries on your database. A SQL injection vulnerability can be detected by a security test that checks for user input that could be used for malicious input.
Every field in a website is a doorway to the database. The login form requires the user to enter login data, the search form requires them to enter a search text, and the data saving form requires them to enter data to be saved. All the data that is indicated goes to the database.
If incorrect data is entered, then there is a possibility that malicious code will be introduced into the database and the whole system will be damaged.
How to perform Security Testing to check SQL injection?
Even if Security Testing was not planned, testing against possible attacks is a good practice as a tester. This way, you can make sure the product works well in unexpected situations.
To perform this security testing, you need to find the vulnerable parts of the system and then send malicious SQL code to the database. If a system is vulnerable to SQL injection, then malicious SQL code can be used to do harm.
Every field in a website is a doorway to the database. Any data or input that is entered into a system or website goes to the database query. Therefore, if we type any malicious code into the database, then it may be executed without correct data and have harmful consequences.
SQL Injection testing example 1
In order to execute this attack, we have to modify the purpose of the appropriate database query. One possible method to perform it is to make the query always true and insert your malicious code after that. To change the database query to always return true, you could use simple code like ‘ or 1=1;//.
Let’s take an example of the Login process and provide the input like we provided in the following snapshot.
If the database query to check login credentials is returning true, like this query:
select * from users where email='username' and password ='password';
and if we provide the input like ‘ or 1=1; then your query will change, password string will be commented. New query will be looked like this:
select * from users where email='' or 1=1 //password='password' ;
There are many other codes that can also be used to make the query always true, like:
- ‘ or ‘abc‘=‘abc‘;–
- ‘ or ‘ ‘=‘ ‘;–
It is possible to check for this vulnerability very easily. It is sometimes sufficient to type a ‘ or ” sign in the tested fields. If the message returns any unexpected or extraordinary results, then we can be sure that SQL injection is possible for that field.
SQL Injection testing example 2
You can check for possible SQL attacks by looking at the website’s link. Suppose we have a website’s link as https://www.itlearn360.com/books=1. In this case, the value is 1 and the book is a parameter. We would check for possible injections if we wrote the ‘ sign instead of the number in the link.
Therefore, link https://www.itlearn360.com/books=’ will be like a test if the SQL attack is possible for the website https://www.itlearn360.com or not.
In this case, if the link https://www.itlearn360.com/books=’returns an error message like ‘Internal Server Error’ or a blank page or any other unexpected error message, then also we can be sure that SQL Injection is possible for that website. Later, we can try to send more tricky SQL code through the website’s link.
To determine if this attack is possible through the website’s link, code like ‘ or 1=1;– can be sent.
We would like to emphasize that not only unexpected error messages can be considered a SQL injection vulnerability. Many testers only check for possible attacks according to the error messages.
No validation error message or successful message for malicious code can be a sign that this attack is possible.
Vulnerable Parts of this Attack
Before beginning the test, a tester should be aware of the most vulnerable parts of the system.
It is also a good practice to carefully plan which areas of the system will be tested and in what order.
This attack can occur anywhere data is being entered into the database, including any parts of the data entry system such as input fields or website links.
Vulnerable parts include:
- Login fields
- Search fields
- Comment fields
- Any other data entry and saving fields
- Website links
There isn’t enough to check only one or a few fields when testing against this attack. It is not uncommon for one field to be protected against SQL injection, while another is not. Therefore, you must test all the website’s fields.
We hope that you now clearly understand what a SQL injection is.
It is important to test against SQL injection attacks on a regular basis. Any unresolved database or system vulnerabilities could damage the company’s reputation and require significant resources to restore the entire system.