2.7.3 SQL and LDAP Injection Attacks

A Structured Query Language (SQL) injection is a security exploit in which an attacker injects SQL commands as input data into an HTML form. SQL injection attacks are most common on ASP and PHP applications. The SQL commands read, modify, or destroy data in the database, give the attacker administrator rights, or perform malicious operations on the application. This can cause unintended behavior by the application.

Lightweight Directory Access Protocol (LDAP) injection attacks are similar to SQL injection attacks. LDAP injection is an attack used to exploit web based applications that construct LDAP statements based on user input. If a web application is not sanitizing the user input before sending the query to the server and the attacker has injected malicious code, the attacker is given the ability to modify or delete anything in the LDAP tree.

Content on this page requires a newer version of Adobe Flash Player.

Get Adobe Flash player

Sometimes when an attacker launches SQL or LDAP injection attacks, the server responds with syntax error messages. The attacker may then launch Blind SQL or LDAP injection attacks by asking a series of true/false questions through SQL or LDAP statements to get the server to divulge information about itself that can be used against it.

Defensive programing, static source code analysis, and dynamic checks are techniques to prevent these types of attacks. It is critical that the HTML forms only allow normal text strings. All input data should be filtered, sanitized, and validated. If it is necessary to include special characters in input that is passed into an LDAP query, using encoding and escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query but instead treat those special characters as data. For SQL attacks, it is important to translate input containing escape characters that have a special meaning in SQL.

Escape characters are those that start a programming sequence so they are interpreted differently from other characters. The backslash (/) and caret (^) are examples of escape characters found in common programming languages.