Page 1489 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1489
properly, it will allow only authorized requests to the database.
However, if there is a flaw in the web application, it may allow
individuals to tamper with the database in an unexpected and
unauthorized fashion through the use of SQL injection attacks.
SQL Injection Attacks
SQL injection attacks allow a malicious individual to directly perform
SQL transactions against the underlying database, in violation of the
isolation model shown in Figure 21.2.
For more on databases and SQL, see Chapter 20.
In the example used earlier, a bank customer might enter an account
number to gain access to a dynamic web application that retrieves
current account details. The web application must use a SQL query to
obtain that information, perhaps of the following form, where
<number> is the account number provided by the user on the web form:
SELECT *
FROM transactions
WHERE account_number = '<number>'
There’s one more important fact you need to know: Databases will
process multiple SQL statements at the same time, provided that you
end each one with a semicolon.
If the web application doesn’t perform proper input validation, the
user may be able to insert their own SQL code into the statement
executed by the web server. For example, if the user’s account number
is 145249, they could enter the following:
145249'; DELETE * FROM transactions WHERE 'a' = 'a
The web application would then obediently plug this into the <number>
field in the earlier SQL statement, resulting in the following:
SELECT *
FROM transactions
WHERE account_number ='145249'; DELETE * FROM transactions WHERE
