Locking the Door behind You: Hacker Protection for Your Web Applications

SQL injection allows an attacker to gain access to a backend database through the trusted Web site. If the Web site has not invested any time in hacker protection and contains development errors, an attacker can format a Web request so that an SQL statement will get 'piggybacked' onto the real request from the Web application, and the attacker's request will get executed. This occurs because the input from the user is 'trusted' and not filtered properly. To ensure complete hacker protection from SQL injection, any type of request to your SQL server needs to be filtered before it is executed. If fully exploited, SQL injection can lead to an attacker downloading the entire backend database to the local machine.

Step 1. Open the Web site in a browser.

Step 2. Mouse over the links of the Web site with your cursor while paying attention to the bottom status bar. You will notice the URLs that the links point to. Try to find a URL with parameters in it (Ex. http://www.site.com/articleid.asp?id=42). Most SQL injection problems are present when the file extensions are ".asp" or ".cfm". When trying to test a site for SQL injection vulnerabilities, look for these files specifically.

Note: If you don’t see any URLs in the status bar, then just click on links, and watch the address bar until you find a URL that has parameters.

Step 3. Once a URL with parameters has been found, click the link, and go to that page. In the address bar, you should now see the URL that was seen in the status bar.

Step 4. Here is where the actual testing for hacker protection takes place. There are 2 methods for testing script for SQL injection. Be sure to test each parameter value one at a time with both methods.

• Method 1. Go to the address bar, click your cursor, and highlight a parameter value (Ex. Highlight the word value in "name=value"), and replace it with a single quote ('). It should now look like "name='"
• Method 2. Go to the address bar, click your cursor, and put a single quote (') in the middle of the value. It should now look like "name=val'ue"

Step 5. Click the 'GO' button. This will send your request to the Web server.

Step 6. Analyze the response from the Web server for any error messages. Most database error messages will look similar to the examples below:

Example Error 1:
Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string '51 ORDER BY some_name'. /some_directory/some_file.asp, line 5

Example Error 2:
ODBC Error Code = S1000 (General error) [Oracle][ODBC][Ora]ORA-00933: SQL command not properly ended

Step 7. Sometimes the error message is not obvious and is hidden in the source of the page. To look for it, you must view the HTML source of the page and search for the error. To do this in Internet Explorer, click the 'View' menu, and select the 'Source' option. This will cause Notepad to open with the HTML source of the page. In Notepad, click the 'Edit' menu, and select 'Find'. A dialog box will appear that will ask you to 'Find What'. Type the phrase 'Microsoft OLE DB' or '[ODBC]', and click 'Find Next'.

Step 8. If Either Step 6 or 7 is successful, then the Web site is vulnerable to SQL injection.