O'Reilly logo

SQL Injection Defenses by Martin Nystrom

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Attacks

This section describes web application attacks, motivations, and the weaknesses that make them possible.

Motivations

Hackers will target database weaknesses in web applications because, for example, it's the only method for retrieving data out of that database. The database itself is normally not accessible from the untrusted network (the other side of the firewall). This is not always the case, of course, since the SQL slammer outbreak of 2003 demonstrated that plenty of organizations allowed direct database access to their Microsoft SQL Servers from Internet connections. Further, social engineering attacks are a far more effective means of harvesting data from databases. An attacker gains access to someone from the inside that can pull information from the database and feed it to her on the outside.

Since hackers normally cannot attack the database directly, they must encapsulate their attack via other means. The most direct network route to accomplish this is to attack the applications that are accessing this database. The attacker may be interested in gaining access to the data to sell it in the underground economy, for competitive intelligence, or foreign espionage. The attacker also may wish to Trojan the database with his own code, allowing full takeover of the database platform to launch further attacks, disrupt confidentiality, change transactions, or deny access to it altogether (denial of service). The SQL slammer worm of 2003 was an example of this, as the attacker ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required