SQL InjectionSQL Injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of variables embedded in SQL statements. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another and is very prevalent that one could just perform a query on google for a possible target. It is even present on the high profile sites such as the UN (United Nations) website which was defaced last week according to this Slashdot.org article

Let me give you an example on how to use Google to find a possible target site for SQL Injection. In Google i will going to type in allinurl: .asp?ArticleID , I limit the query to display only ASP based sites which is most of these sites are running MS SQL and MS Access db, from the result, I picked a site to check if it is susceptible to SQL injection. One of the sites i have checked, displayed this error:

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ”.

/events/event_related_files/article_page.asp, line 11

Which means that the site is 99% susceptible to SQL injection. One of the site that was vulnerable to SQL injection is the UN Iraq website which was fixed already today. I managed to get a screenshot of the vulnerable website below.

UN Iraq Vulnerable to SQL Injection

There are still a lot of high profile websites out there that are susceptible to SQL injection. Unless programmers/developers stops ignoring the security aspects to consider when developing a web-based applications, There will be more out there in the future.

For further reading and better understanding about SQL injection see the links below.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *