Section 5a.6. SQL injection attacks without the web form


5a.6. SQL injection attacks without the web form

Now that you know some of the problems with the lookpuCustomer.php script, let's see how PROJECT: CHAOS (or any other hacker) could exploit those problems and get the Break Neck customer list.

Your validation catches attacks through the Break Neck order form.

Now, only real phone numbers can get through your validation.

These two POST rquests are treated exactly the same by the Break Neck web server and PHP script.

Clever hackers can send a POST request directly to your PHP script, without using the Break Neck order form at all.

There's no input validation, so a POST request sent directly to the PHP script can still have a SQL injection attack in it.

PROJECT: CHAOS

This request is OK, and can be handled normally by the PHP script.

Valid phone number from a customer

The PHP script and web server don't see a difference between POST requests send from the web form, and POST requests that don't come through the form.

lookupCustomer.php

SQL injection attack from PROJECT: CHAOS

You need to add some form of security to prevent this request from causing damage.

Since lookupCustomer.php has no security, it will still return a complete customer list to a SQL injection attack that goes around the Break Neck web form..

PROJECT: CHAOS gets the customer list... looks like more porn is gonna get sent to Break Neck customers.




Head Rush Ajax
Head Rush Ajax (Head First)
ISBN: 0596102259
EAN: 2147483647
Year: 2004
Pages: 241

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net