SQL injection vulnerabilities have existed and have been exploited for several years. However, as is often the case with a class of security vulnerabilities, such vulnerabilities continue to exist long after methods of preventing these vulnerabilities become well-known. One might think that certain commonly-used SQL injection attack methods would not succeed long after they become well-known. However, some websites are vulnerable to SQL injection attacks that had been known about for years. And in the following video, an individual demonstrates this in performing a security audit on the Northwestern Health Sciences University’s website.
As one can see after viewing the video, after an initial attempt at injecting SQL statements into a login form on this page, it was revealed that characters that tend to be used in SQL injection attacks were filtered using JavaScript. Then, it was demonstrated that such JavaScript-based filters can be removed by simply editing the page’s source code and saving it on the local hard drive. Other modifications were made to the page’s source code, such as conversion of a relative URL for submission to an absolute URL, which was necessary as the modified page was to be viewed offline. In addition, the maximum length of the password field needed to be increased in order for the SQL injection attack string to be entered, and so that change was also made. Also, as one would prefer to be able to view all data one is submitting, the password field was changed to a regular text field so that text in that field could have been viewed.
Measures may have been taken to prevent SQL injection attacks through this page. However, as was demonstrated in this video, measures taken through client-side code can be very easily circumvented. As a matter of fact, some of the tasks performed by the individual performing the security audit could have been automated, thus decreasing the amount of effort needed to succeed in performing the attack. Making the password field text visible and increasing the maximum length of the password field can be done automatically via Greasemonkey user scripts. Also, extensions for Firefox such as the Web Developer extension can also automatically perform such tasks as revealing what is typed in password fields. Disabling of JavaScript could also possibly be done to circumvent JavaScript-based filters. And if it is found that the site requires that JavaScript be used, then manual page modification could be done to remove JavaScript. In any case, measures for preventing SQL injections should not be in client-side code, which is an important lesson one can learn after viewing this video.
Also demonstrated in the video are possible implications of SQL injection vulnerabilities. After it was revealed that the attack was successful, it was demonstrated why it was important for security measures to be put in place on that site. Much information on the individual whose account was accessed became visible, as one could see near the latter part of the video. One such piece of sensitive information accessed was that individual’s social security number. And when SSNs can be accessed through a site, one should certainly keep that fact in mind when trying to prevent unauthorized access to the data in databases used by the site.
This video has been viewed over 500,000 times at the time that I have published this entry. However, I am not sure how many times it was viewed before the page was corrected. This video demonstrates how not to prevent SQL injections, although it should not be considered a tutorial on how to perform SQL injections. A very common SQL injection string is used after the easily-circumvented measures taken to prevent it from being submitted are circumvented. Use of the methods used in performing this attack will not work when attempted on many sites. However, one has to wonder how many websites use such a flawed method of preventing SQL injection attacks. Even if 99% of websites use better measures to prevent these attacks, that still leaves many websites vulnerable to this type of attack. And how many of those websites have information as sensitive as SSNs stored in the databases that they use?
This video may not teach those who view it much about how to prevent or perform SQL injection attacks. Its lesson seems to be the importance of preventing these attacks. When sensitive data can be accessed by a user with proper credentials, a website through which this data can be accessed should certainly not fall for some of the oldest tricks in the book.