Examples Of SQL Injection

Amazing Essays
SQL Injection
An SQL Injection is the technique of inserting complete or partial SQL commands in user-supplied data fields of a web application and submitting them for execution by the database server. The SQL Injection is normally injected by attackers to compromise the security of a website, access private data and perform other unauthorized actions that a developer never anticipated.
Overview
Majority of businesses use website features such as contact forms, search functions, feedback fields, shopping carts and others to interact with their customers, employees and users. This allows users to legitimately submit, store or retrieve information in the website’s database. The website forms must therefore have access to the database to enable
…show more content…
• Accessing the databases to find and modify security settings so as to have administrative rights.
• Using the administrative rights to perform functions such as accessing and stealing private data, deleting or modifying data in the database.
Example of an SQL Injection in a login page
When a user submits the credentials, the web application uses them in an SQL query which is then sent to the database for execution. If the submitted username and password are valid, the use gains access, and denied if invalid.
Assume the username is ‘user1’ and password is ‘pass123’, the web application will send the below SQL query to the database for verification. SELECT * FROM Users WHERE name = 'user1 ' AND password = 'pass123 '
An attacker could instead of using the valid username, submit "test ' OR 1 = 1--" as username and then use anything for the password. The SQL query in this case will look like
SELECT * FROM Users WHERE name = 'test ' OR 1 = 1 -- ' AND password = 'xxxxx '
This SQL statement will always return a true
…show more content…
There are so many websites which have had these kinds of attacks in which usernames, passwords and other private data was accessed and stolen.
One such attack occurred in year 2015 on Vtech servers. The interactive toys manufacture’s servers suffered from an SQL injection attack where the hacker managed to access over 2.3 million pictures and over 4.83 million emails addresses, usernames and passwords.
Outcomes of SQL Injection
An attacker gaining administrative access is a big security risk.
• The attacker can steal, delete or alter parts or the entire data
• Launch attacks from compromised server
• Unauthorized access to all personal data or company data, confidential information, customers data etc
SQL injection takes advantage of the vulnerabilities in publicly available, user-supplied data fields in the web application. Instead of submitting anticipated information, an attacker may insert malicious code, and trick the database so that it executes the compromised statements and perform unauthorized actions such as accessing and retrieving private data, modifying or deleting parts or the entire

Related Documents

  • Decent Essays

    The attacker in control of a botnet can use it for a variety of purposes. One of the most common uses for a botnet is to perform distributed denial of service attacks (DDoS), where the bots send massive amounts of web traffic to a single website and attempt to bring it down. Botnets can also be used to…

    • 2049 Words
    • 9 Pages
    Decent Essays
  • Decent Essays

    They may also perform tests and exposure assessments. • Cracker – Black hat A cracker gains unauthorized access to computer systems for personal gains with unethical intentions, such as stealing corporate data, violate privacy rights, stealing funds, etc. In the recent past, the official website of the government of Maharashtra was hacked on September 20, 2007. The state government took the help of the Cyber Crime Branch to investigate the case. The website contained detailed information about government departments, circulars, reports, and similar other important data.…

    • 1304 Words
    • 6 Pages
    Decent Essays
  • Decent Essays

    Identity Theft Essay

    • 1148 Words
    • 5 Pages

    Through Googlehacking they use software such as SQL Hunter. SQL hunter detects weaknesses in websites and it’s a technique that attacks websites using malicious SQL statements, this gives the hacker more access to their databases. This is done through the administrator pages and they can be easily found just by searching up inurl:admin. Another method used by hackers is through pentest-tools.com. Hackers use this website because it provides Google search results after it searches for up to nine types of Googlehacking when a user enters a desired URL.…

    • 1148 Words
    • 5 Pages
    Decent Essays
  • Decent Essays

    OpenID 2.0 is being deprecated by most identity providers now, with most of them switching to pure OAuth 2.0 or OpenID Connect. OpenID 2.0 is an authentication protocol that websites allow the end-users to use to authenticate with their site. The website will usually have an option to specify an OpenID URL to authenticate with and then that site will request an HTML document from the identity server. The OpenID server returns that document and uses the headers to construct various information including what to return in the event of a successful login. The user is then presented with a login screen from the OpenID server and when successfully authenticated, the OpenID server will ask if the user trusts the original site they are authenticating to.…

    • 1871 Words
    • 8 Pages
    Decent Essays
  • Decent Essays

    Network intrusion takes place when an outside entity gains access to a prohibited network without authorization. A secure computer or network system should provide data confidentiality, data and communication integrity and assurance from a denial of service attack (Mukherjee, Heberlein, & Levitt., 1994, p.28). Network intrusion can have huge effects on an organization as data can be stolen, modified or erased, and equipment or programming can be harmed or annihilated. Organization in the public and private sector are constantly in the media for security breach, Companies such as JP Morgan Chase, Home Depot , TJ Maxx and recently the Federal Office of Personal Management have all been breach. In a case presented by Johnston and…

    • 1086 Words
    • 5 Pages
    Decent Essays
  • Decent Essays

    Django Case Study

    • 1057 Words
    • 5 Pages

    Answer: Django architecture consists of: Models: It describes your database schema and your data structure Views: It controls what a user sees, the view retrieves data from appropriate models and execute any calculation made to the data and pass it to the template Templates: It determines how the user sees it. It describes how the data received from the views should be changed or formatted for display on the page Controller: It is the heart of the system. It handles request and responses, setting up database connections and loading add-ons and specifies Django framework and URL parsing. Question: Why Django should be used for web development? Answer: Django should be used for web development because of following reasons: • It allows to divide code module into logical groups to make it flexible to change.…

    • 1057 Words
    • 5 Pages
    Decent Essays
  • Decent Essays

    Kelly's Salon Case Study

    • 1186 Words
    • 5 Pages

    Because SaaS is a web-based solution, configuration will be done by an IT expert on HTTPS to allow uses authenticate data transfer location. Subsequently, this kind of configuration guarantees data integrity and privacy important aspects of Kelly’s saloon. Alternatively, the system might be configured on PostgreSQL, which directly backs up data to the servers. d. Testing Testing of SaaS integrates different techniques such as Agile that accelerates the procedure. SaaS has an automated vendor that offers testing services.…

    • 1186 Words
    • 5 Pages
    Decent Essays
  • Decent Essays

    Mysql Vs Mongo

    • 1465 Words
    • 6 Pages

    They are similar in many ways and also very different in how they deal with data. We will look at how they execute read queries and see what those similarities and differences are. Part 1: How a MySQL query is prepared and executed. For us to understand how a SQL database differs in running queries we…

    • 1465 Words
    • 6 Pages
    Decent Essays
  • Decent Essays

    Cybercriminal Crimes

    • 779 Words
    • 4 Pages

    They can amass a plethora of social security numbers, bank account numbers, emails, and credit card numbers from unsuspecting individuals. Before anyone even realizes it cybercriminals can use this stolen information to open multiple accounts and ruin the life of their victim. Many times these criminals never get caught. This is becoming a growing threat throughout the internet-connected…

    • 779 Words
    • 4 Pages
    Decent Essays
  • Decent Essays

    Cyber Security Failure

    • 802 Words
    • 4 Pages

    To make clear what a security attack is, it is a “A security event that has been identified by correlation and analytics tools as malicious activity that is attempting to collect, disrupt, deny, degrade or destroy information system resources or the information itself” (Gallagher). These attacks can come in any shape or form over the internet and with the little regulation over cyber threats internationally it needs to be a constant cause for alarm for agents. Verizon showed its 2013 data breach investigation report that 95 percent of the advance attacks came through emails that were containing malicious attachments which gave the attackers a a stepping stone into the host networks computers and network devises which then exposed the valuable and/or private…

    • 802 Words
    • 4 Pages
    Decent Essays