In this code, the developer is taking the user input from the form and

embedding it directly into an SQL query.

Suppose an attacker submits a login and password that looks like the

following:

    Login:   OR   = 

    Password:   OR   = 

This will cause the resulting SQL query to become:

SELECT Username FROM Users WHERE Username =    OR

  =   AND Password =    OR   =  

Instead of comparing the user supplied data with entries in the Users

table, the query compares    (empty string) to    (empty string). This

will return a True result and the attacker will then be logged in as the

first user in the Users table.

There are two commonly known methods of SQL injection: Normal

SQL Injection and Blind SQL Injection. The first is vanilla SQL

Injection in which the attacker can format his query to match the

developer s by using the information contained in the error messages

that are returned in the response.

Normal SQL Injection

By appending a union select statement to the parameter, the

attacker can test to see if he can gain access to the database:

http://example/article.asp?ID=2+union+all+select+na

me+from+sysobjects

37

Copyright 2004, Web Application Security Consortium. All rights reserved.