Web application security – SQL injection attacks
2006; Elsevier BV; Volume: 2006; Issue: 4 Linguagem: Inglês
10.1016/s1353-4858(06)70353-1
ISSN1872-9371
Autores Tópico(s)Network Security and Intrusion Detection
ResumoWhen it comes to attacking web applications, the assailant will try several means of compromising the application. But there is one that is particularly prized where a backend database is used: executing arbitrary SQL commands. Even a comparatively simple web site, providing brochures and press releases, may well be driven by a database backend. At the other extreme, the majority of shopping cart and transaction sites will be driven by a database backend. SQL injection attacks are so called because what attackers are attempting to do is to insert their own code into a pre-existing query (e.g. a product search). The aim is to get the application to perform an action that is unexpected and usually of benefit to the attacker. In this article the concepts of SQL injection are introduced, attack vectors will be explored, and examples given of preventative best practice. In the world of web application security the assessor will attempt numerous means of compromising the application. However, the holy grail of the assessor means obtaining the ability to execute arbitrary SQL commands, should such a back-end database exist.
Referência(s)