SQL injection faultsRequest Pricing

SQL injection faults

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

Specialized Pen Testing

1

Cross site scripting (CSS) vulnerabilities

2

Business Logic Flaws

3

Authentication vulnerabilities

Cross site scripting (CSS) vulnerabilities

A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. Read More

Business Logic Flaws

Most of the web applications are moving to cloud technology. While this enhances the appliaction functionality, it also introduces security issues. Since everything is virtual in case of a cloud hosting, it is difficult to gain fine grain control of the "data at rest" and "data in transit" Read More

Authentication vulnerabilities

Most of the websites needing user authentications are vulnerable to authentication problems. There are several available authentication mechanisms to choose from, if not done correctly, can expose vulnerabilities that attackers can exploit to gain access to your system. Read More

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.

The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark "--". Subsequent text is ignored at execution time.

SQL Injection flaws

are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query.

Valency Networks, Pune, provides a set of simple techniques for preventing SQL Injection vulnerabilities by avoiding these two problems. These techniques can be used with practically any kind of programming language with any type of database. There are other types of databases, like XML databases, which can have similar problems (e.g., XPath and XQuery injection) and these techniques can be used to protect them as well.

Primary Defenses:
  1. Option #1: Use of Prepared Statements (Parameterized Queries)
  2. Option #2: Use of Stored Procedures
  3. Option #3: Escaping all User Supplied Input

Additional Defenses:

  1. Also Enforce: Least Privilege
  2. Also Perform: White List Input Validation