5a.6. SQL injection attacks without the web formNow that you know some of the problems with the lookpuCustomer.php script, let's see how PROJECT: CHAOS (or any other hacker) could exploit those problems and get the Break Neck customer list. Your validation catches attacks through the Break Neck order form. Now, only real phone numbers can get through your validation. These two POST rquests are treated exactly the same by the Break Neck web server and PHP script. Clever hackers can send a POST request directly to your PHP script, without using the Break Neck order form at all. There's no input validation, so a POST request sent directly to the PHP script can still have a SQL injection attack in it. PROJECT: CHAOS This request is OK, and can be handled normally by the PHP script. Valid phone number from a customer The PHP script and web server don't see a difference between POST requests send from the web form, and POST requests that don't come through the form. lookupCustomer.php SQL injection attack from PROJECT: CHAOS You need to add some form of security to prevent this request from causing damage. Since lookupCustomer.php has no security, it will still return a complete customer list to a SQL injection attack that goes around the Break Neck web form.. PROJECT: CHAOS gets the customer list... looks like more porn is gonna get sent to Break Neck customers. |