8
insecure code
which creates
a
dynamic SQL statement by retrieving data
form a query
string:
Dim sql
sql = "SELECT [Title], [Description] FROM [Articles] WHERE [ArticleID] = " & _
Request.QueryString("articleId")
This code expects a query string parameter with the name of articled. While the
developer may contain provided a valid integer in the URLs on his website for this piece
of code
to
work
as
expected,
a
hacker
when
he
sees
this
URL
will
try
to
exploit
this
weakness by injecting his own SQL report(s) to view, update or delete the content in the
developer's database.
For example, all
the
hacker
has to do to
view the contents of [dbo].[sysobjects] table
is
to set the value of query string to following:
0
UNION SELECT [name], [xtype] FROM [dbo].[sysobjects]
The
0
at
the
start
effectively
removes
any
rows
being
returned
for
the
original
query
while
the
second
statement
using
a
UNION
keyword
appends
secret
data
from
[dbo].[sysobjects]
table to
the returning
record set.The
last
"--"
keyword comments
out
any
other
SQL
statement(s)
appended
to this
statement
by
the
developer.
Thus
the
complete SQL statement that will get executed becomes the following:
SELECT [Title]
[Description] FROM [Articles] WHERE [ID] = 0 UNION
 |