We covered the third part that discusses string SQL injection vulnerability using OWASP WebGoat lab.
String SQL injection can be easily exploited by applications that construct queries dynamically by joining strings together. If the input accepts a string that is passed into the query as a string parameter, you can quickly modify the build query by forming the string according to your requirements by enclosing it in quotation marks. For instance, you could use quote marks to finish the string parameter and then enter your own SQL.
The Exploitation Process
To achieve this, I learned that you provide a seemingly innocuous username to the application, but you append a carefully constructed SQL query to it. This appended query is designed to bypass the application’s intended logic and force the database to return all records.
For example, the video showed an SQL injection query that, when executed, revealed all credit card numbers and their types stored in the database. This is highly confidential information that should never be accessible to regular users.
Preventing Such Attacks
The video strongly emphasized the critical importance of validating and filtering every query and input received from users. This is the primary defense against SQL injection vulnerabilities. Without proper input sanitization, applications are left wide open to malicious attacks that can compromise sensitive data.
