Forristal documented a Microsoft SQL server in which he was able to gain access to previously protected user information, such as names, phone numbers, addresses, and more through the use of normal user inputs within the data fields. The first SQL injection attack documented was by “,” also known as Jeff Forristal in 1998. Because of this, SQL injection was considered to be one of the top 10 web application vulnerabilities of both 20 by OWASP, making it a severe security threat that could be universally applied. Even though each was designed with a unique purpose in mind, all forms allow you to execute queries, retrieve data, and update records within a database setting. Over time, there have been many forms of SQL that have developed over the years, such as MySQL, NoSQL, SQL Server, etc. Developed by Donald Chamberlin and Raymond Boyce in IBM in 1970, SQL (originally created as Structured English Query Language (SEQUEL)) was created in order to interact with IBM’s System R, which was a primitive version of the types of databases that we see today. SQL, also known as Structured Query Language, is a language that allows you to access and manipulate databases that store data. Burp Suite allows the user to (in this use case) modify packet requests to modify and execute commands on the SQL database table, which is used and abused. I was able to replicate an SQL injection on a DVWA to prove this methodology, then I was able to, through research, show how the existence of this vulnerability allowed me to obtain sensitive information quickly and easily through the use of the program Burp Suite. The existence of this vulnerability allows for multiple different attacks on a target, such as privilege escalation, data modification, table destruction, and taking full control of the database server itself. Given certain inputs, an attacker is able to bypass query validation and obtain unprivileged access to sensitive information. SQL injection vulnerabilities occur when any given user is able to access and manipulate data entry that is connected to SQL queries within an uncontrolled space.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |