A 30-minute Experiment
Yesterday I came across this page in Wikipedia as I searched the Net for information about website security. The concept of SQL injection is nothing new to me, but seeing the examples made me stop and think to myself, "is it really that easy?"
I decided to find out. I opened a web browser and navigated to my favorite search engine. A search for
admin login returned approximately 108 million pages. I started by opening each link (10 per page) in a new tab. For the most part, every link brought me straight to an administrative login page, complete with username and password fields. Obviously, finding admin panels to "hack" isn't very hard.
The next step involved an extremely simple test. In both the username and password fields of every page, I typed:
' or 'x'='x
In a moment I'll explain why this works. In the meantime, I think the results will surprise you.
Within the first 100 pages that I tried, I was able to gain complete access to two administrative panels. One belonged to a restaurant in Michigan which apparently sells pasties online. To find out how much damage a malicious hacker could cause, I looked around to see what type of information was available. Within a matter of seconds, I realized that I had access to nearly 400 orders that had been placed, the most recent one being less than a month ago. Each order came complete with:
- Email address
- Credit card type
- Credit card number
- Expiration date
- Billing Address
- Phone number
That's right — nearly 400 people's credit card information had been compromised, and all I had to do was type 11 characters to do it.
Of course, someone with a little bit of backround in Web Development is bound to know a thing or two about "hacking", but what about the average user? What I just did requires absolutely no understanding of web security. In fact, anyone can do it from any computer with an Internet connection...including you.
How SQL Injection Works
This particular form of injection is caused by improperly filtered escape characters. Essentially, the programmer didn't do a good job of "cleaning" the input before it got sent to the database as a query. Take this input, for example:
' or 'x'='x
Passing this directly to the SQL statement will turn this:
SELECT * FROM users WHERE username = '$username'
SELECT * FROM users WHERE username = '' or 'x'='x'
When executed, since
x is always equal to
x, the query will return every row in the
users table, forcing the selection of a valid username.
The same type of injection can be used to
REPLACE, and even
DROP entire tables. If permissions are not set up intelligently, this type of injection could even
DROP and entire database with one call.
Preventing an Injection
Protecting your applications from SQL injection is not difficult, but it takes some forethought. Any data that a user can supply, alter, or spoof should be parsed before it gets passed to the SQL statement.
POST variables are probably the most vulnerable, but anything that can be manipulated on the client side should not be trusted. Form data, including "hidden" fields, are incredibly easy to manipulate (Firefox users see the urlParams extension). Readily-available programs make it easy to spoof the host, user-agent, referer, and cookies (Firefox users see the Tamper Data extension).
In PHP, you can use the
If the developer of that ordering system for the restaurant in Michigan had taken the time to clean the form data from his login page, I wouldn't have been able to access all of those customers' private information. I'm pretty sure they would've all appreciated the little bit of effort that this would have required.
I notified the restaurant's management of the vulnerability and they have since taken the admin panel offline to fix the problem.
More About SQL Injection
Steve Friedl's article entitled SQL Injection Attacks By Example does an excellent job at demonstrating a few of the techniques that are used to compromise SQL statements. Another great resource is this SQL Injection Cheat Sheet, which provides a thorough outline of SQL injection attacks and what databases they apply to.