usd HeroLab Top 5 Vulnerabilities 2020: SQL Injection

22. June 2021

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 3: SQL Injection

Vulnerability Background

SQL injection vulnerabilities allow an attacker to inject own database commands into legitimate database queries. This can be used for various types of attacks. Usually, a successful attack allows full access to the application-relevant parts of the database. In many cases, it is then possible to escalate permissions within the database or to access the server‘s file system. In the worst case, an SQL injection vulnerability allows the execution of arbitrary operating system commands on the underlying server.

Exemplary hacker attack and its consequences

The following example demonstrates an SQL injection vulnerability that ultimately allows the attacker to access password hashes of registered users. The initial entry point is located inside a search function for forum posts.

Figure 1: Application with a search for forum posts

The screenshot above shows the vulnerable search function, that can be used to search forum posts by title. Inserting special characters within the search query can provoke a database error, as demonstrated in the following screenshot:

Figure 2: Database error caused by special characters

Based on the obtained database error, an attacker can now refine the attack. The following screenshot shows how the vulnerability can be exploited to extract password hashes from the database:

Figure 3: Password hashes are extracted from the database

Recommended measures

User-controlled input should always be considered potentially dangerous and should never be used within database queries without sufficient filtering and encoding. Appropriate functions for filtering input are available in all common programming languages. Furthermore, it is recommended to use prepared statements. With this technique, the structure of a database query is sent to the database server in advance, before the data actually used for the query is inserted. The database server thus knows the structure of the query and subsequent modification by an attacker is no longer possible.

Please note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.



Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories