1 00:00:00,300 --> 00:00:02,050 SQL Injection. 2 00:00:02,050 --> 00:00:03,640 What is SQL? 3 00:00:03,640 --> 00:00:07,280 SQL, or Sequel, stands for the structured query language. 4 00:00:07,280 --> 00:00:09,660 And it's the way that a web application communicates 5 00:00:09,660 --> 00:00:12,670 to a database server to ask for information. 6 00:00:12,670 --> 00:00:14,640 Because this is the language used to communicate 7 00:00:14,640 --> 00:00:17,150 with the databases and the databases hold lots 8 00:00:17,150 --> 00:00:18,550 of valuable information, 9 00:00:18,550 --> 00:00:21,300 this has become a popular target for attacks. 10 00:00:21,300 --> 00:00:24,030 This brings us to the concept of an SQL Injection, 11 00:00:24,030 --> 00:00:26,840 which is an attack consisting of the insertion or injection 12 00:00:26,840 --> 00:00:29,349 of an SQL query via input data form 13 00:00:29,349 --> 00:00:32,450 that the client sends to the web application. 14 00:00:32,450 --> 00:00:34,690 SQL injections are just a specific type 15 00:00:34,690 --> 00:00:36,140 of code injection, though. 16 00:00:36,140 --> 00:00:38,370 A generalized injection attack is the insertion 17 00:00:38,370 --> 00:00:41,220 of additional information or code through data input 18 00:00:41,220 --> 00:00:43,540 from a client to an application. 19 00:00:43,540 --> 00:00:46,750 This code injection can occur using any type of code, though. 20 00:00:46,750 --> 00:00:49,730 But the most common are SQL, HTML, 21 00:00:49,730 --> 00:00:52,230 XML, and LDAP injections. 22 00:00:52,230 --> 00:00:55,449 By far though, SQL injections are by far the most common. 23 00:00:55,449 --> 00:00:58,210 And so we're going to talk about that in this lesson 24 00:00:58,210 --> 00:00:59,500 as we go through. 25 00:00:59,500 --> 00:01:02,440 Just as SQL injections are used to insert SQL statements 26 00:01:02,440 --> 00:01:04,620 into a web application, these other types 27 00:01:04,620 --> 00:01:07,480 of code injection can also be used as an attack method, too. 28 00:01:07,480 --> 00:01:09,060 And so keep that in mind. 29 00:01:09,060 --> 00:01:12,090 Now, before we start to discuss how an SQL injection works, 30 00:01:12,090 --> 00:01:14,610 it's important to know how a normal SQL query 31 00:01:14,610 --> 00:01:16,310 or request is performed. 32 00:01:16,310 --> 00:01:18,740 Let's pretend that you wanted to log into this website. 33 00:01:18,740 --> 00:01:20,610 First, you have to enter your username. 34 00:01:20,610 --> 00:01:22,180 So, I'm going to enter jason as mine 35 00:01:22,180 --> 00:01:23,800 and then you have to enter your password. 36 00:01:23,800 --> 00:01:26,490 So, I'm going to enter my oh so super secure password 37 00:01:26,490 --> 00:01:29,140 of pass123, for this example. 38 00:01:29,140 --> 00:01:31,350 With both of those entered in, I go and click 39 00:01:31,350 --> 00:01:32,400 on the Login button, 40 00:01:32,400 --> 00:01:34,630 and the website will send my username and password 41 00:01:34,630 --> 00:01:36,320 to the database to verify 42 00:01:36,320 --> 00:01:39,790 if the username matches the password stored in the database. 43 00:01:39,790 --> 00:01:43,270 This is done by sending a SQL or structured query that says 44 00:01:43,270 --> 00:01:46,440 select any records from the user table in the database 45 00:01:46,440 --> 00:01:48,340 where the user_id = 'jason', 46 00:01:48,340 --> 00:01:51,160 and the password = 'pass123'. 47 00:01:51,160 --> 00:01:53,390 So, if the query finds a record in the table 48 00:01:53,390 --> 00:01:55,250 that has both the username of jason 49 00:01:55,250 --> 00:01:57,600 and the password of pass123, 50 00:01:57,600 --> 00:02:00,270 it's going to return the value of true to the web application. 51 00:02:00,270 --> 00:02:01,700 And the web application can perform 52 00:02:01,700 --> 00:02:03,810 whatever the next action it's supposed to do in. 53 00:02:03,810 --> 00:02:05,800 In this case, it logs me into the website 54 00:02:05,800 --> 00:02:09,520 and displays whatever the authenticated user homepage is. 55 00:02:09,520 --> 00:02:12,150 Now, if the username and password combination weren't found 56 00:02:12,150 --> 00:02:14,230 in that database table called users, 57 00:02:14,230 --> 00:02:15,890 then it's going to return false, 58 00:02:15,890 --> 00:02:17,460 and the web application would give me some kind 59 00:02:17,460 --> 00:02:20,510 of a message saying please enter your password again. 60 00:02:20,510 --> 00:02:22,280 This is how it's supposed to work. 61 00:02:22,280 --> 00:02:24,810 But how does it work with an SQL injection? 62 00:02:24,810 --> 00:02:26,760 Let's try logging into this website again. 63 00:02:26,760 --> 00:02:29,870 But this time, I'm going to perform an SQL injection. 64 00:02:29,870 --> 00:02:31,810 So, we go back to the Login page, 65 00:02:31,810 --> 00:02:34,420 and I'm going to enter the username of jason once more. 66 00:02:34,420 --> 00:02:36,580 Then instead of entering my password, 67 00:02:36,580 --> 00:02:38,370 I'm going to enter the Escape character, 68 00:02:38,370 --> 00:02:40,220 which is a backward single quote mark, 69 00:02:40,220 --> 00:02:42,879 and the statement, `OR 1=1;. 70 00:02:42,879 --> 00:02:45,910 Now, this isn't my password, obviously. 71 00:02:45,910 --> 00:02:47,860 But instead, this is some code that I'm trying 72 00:02:47,860 --> 00:02:49,929 to inject into the SQL statement 73 00:02:49,929 --> 00:02:52,840 that the web application is going to send to the database 74 00:02:52,840 --> 00:02:53,960 when I click Login. 75 00:02:53,960 --> 00:02:55,700 So, let's click the Login button, 76 00:02:55,700 --> 00:02:58,130 and you can now see the full SQL statement 77 00:02:58,130 --> 00:02:59,760 that the web application has generated 78 00:02:59,760 --> 00:03:01,660 and sent to the database. 79 00:03:01,660 --> 00:03:04,940 Select any records from the user table in the database 80 00:03:04,940 --> 00:03:07,330 where the user_id = 'jason'. 81 00:03:07,330 --> 00:03:09,020 So far, this is the same 82 00:03:09,020 --> 00:03:11,530 as our earlier legitimate login attempt. 83 00:03:11,530 --> 00:03:16,530 And where the password = '` OR 1=1 ;'. 84 00:03:17,157 --> 00:03:18,950 What is happening here? 85 00:03:18,950 --> 00:03:20,560 Well, this is showing us 86 00:03:20,560 --> 00:03:22,760 that the statement is now being sent to the database, 87 00:03:22,760 --> 00:03:24,770 but when it reaches that Escape character, 88 00:03:24,770 --> 00:03:26,470 that backward single quote, 89 00:03:26,470 --> 00:03:28,110 it's going to treat every thing after it 90 00:03:28,110 --> 00:03:30,030 as a command to process. 91 00:03:30,030 --> 00:03:32,690 This changes the context of the initial query. 92 00:03:32,690 --> 00:03:34,530 Instead of saying Jason's username 93 00:03:34,530 --> 00:03:37,520 and his password are the same as the one in the database 94 00:03:37,520 --> 00:03:39,780 and therefore you accept it, it's now asking, 95 00:03:39,780 --> 00:03:42,480 is Jason's username the same one in the database, 96 00:03:42,480 --> 00:03:47,480 and is his password either password or does 1=1? 97 00:03:48,250 --> 00:03:49,550 Now, notice the difference here 98 00:03:49,550 --> 00:03:51,970 because this is the key to an SQL injection. 99 00:03:51,970 --> 00:03:54,520 The first login we did is only going to give us 100 00:03:54,520 --> 00:03:55,360 a true statement 101 00:03:55,360 --> 00:03:57,910 if I correctly enter the username and password 102 00:03:57,910 --> 00:03:59,790 that match what was already stored in the database. 103 00:03:59,790 --> 00:04:01,130 That's what should happen. 104 00:04:01,130 --> 00:04:02,850 But in the second statement, 105 00:04:02,850 --> 00:04:05,650 the one I modified using my SQL injection, 106 00:04:05,650 --> 00:04:08,330 it's going to become true as long as I entered a username 107 00:04:08,330 --> 00:04:09,650 that was in the database, 108 00:04:09,650 --> 00:04:14,650 and either the correct password, or 1=1. 109 00:04:14,790 --> 00:04:16,290 Now, I don't know where you come from, 110 00:04:16,290 --> 00:04:19,470 but where I come from, 1=1 every single second 111 00:04:19,470 --> 00:04:20,890 of every single day. 112 00:04:20,890 --> 00:04:23,610 So this statement is always going to return a true value 113 00:04:23,610 --> 00:04:25,050 to the web application. 114 00:04:25,050 --> 00:04:27,960 And I'm instantly going to be logged in to that website. 115 00:04:27,960 --> 00:04:30,870 So, without entering the proper username and password, 116 00:04:30,870 --> 00:04:32,690 you now have been granted access. 117 00:04:32,690 --> 00:04:35,600 This is not good for security, as you can guess. 118 00:04:35,600 --> 00:04:38,000 So how are we going to prevent this from happening? 119 00:04:38,000 --> 00:04:41,250 Well, SQL injection and code injections can be prevented 120 00:04:41,250 --> 00:04:44,510 very easily if you do proper input validation 121 00:04:44,510 --> 00:04:46,460 and use the concept of least privilege 122 00:04:46,460 --> 00:04:49,620 when you're accessing a database from a web application. 123 00:04:49,620 --> 00:04:52,360 By validating the input from the username and password boxes 124 00:04:52,360 --> 00:04:54,790 that I entered, the web application could have detected 125 00:04:54,790 --> 00:04:57,430 that Escape character and simply given me an error 126 00:04:57,430 --> 00:04:59,410 instead of allowing that code to be sent 127 00:04:59,410 --> 00:05:02,150 to the database as part of the SQL statement. 128 00:05:02,150 --> 00:05:04,860 This is why input validation is so important 129 00:05:04,860 --> 00:05:06,590 to the security of our applications, 130 00:05:06,590 --> 00:05:09,478 and why a programmer should never ever trust any input 131 00:05:09,478 --> 00:05:12,880 received from a user inside of their programs. 132 00:05:12,880 --> 00:05:15,800 Always validate the data you receive from a user first. 133 00:05:15,800 --> 00:05:18,160 This will help you prevent all kinds of code injections 134 00:05:18,160 --> 00:05:22,300 like SQL injections, HTML injections, XML injections, 135 00:05:22,300 --> 00:05:25,400 and LDAP code injections from being successful. 136 00:05:25,400 --> 00:05:28,130 Now, for the exam, any time you see a question 137 00:05:28,130 --> 00:05:31,670 that shows something like an `OR 1=1, or any other statement 138 00:05:31,670 --> 00:05:33,610 that will always return a true value, 139 00:05:33,610 --> 00:05:35,650 it's going to be an SQL injection. 140 00:05:35,650 --> 00:05:40,580 I don't care if it says 7=7, 123=123, or whatever, 141 00:05:40,580 --> 00:05:43,270 if you see something like this on the certification exam, 142 00:05:43,270 --> 00:05:44,270 you know automatically, 143 00:05:44,270 --> 00:05:46,290 they're talking about an SQL injection. 144 00:05:46,290 --> 00:05:49,320 And you should perform input validation to prevent it. 145 00:05:49,320 --> 00:05:51,620 Databases are critical to our web applications, 146 00:05:51,620 --> 00:05:54,170 and SQL itself isn't a bad thing. 147 00:05:54,170 --> 00:05:56,740 Used properly, it's how we can retrieve information 148 00:05:56,740 --> 00:06:00,540 from our databases and store information into our databases. 149 00:06:00,540 --> 00:06:03,000 Just remember to always secure your databases 150 00:06:03,000 --> 00:06:05,110 and validate the statements being sent to them 151 00:06:05,110 --> 00:06:06,850 from your web applications. 152 00:06:06,850 --> 00:06:09,870 In the next lesson, I'm going to show you a full demonstration 153 00:06:09,870 --> 00:06:12,710 of how an SQL injection can be used to get all sorts 154 00:06:12,710 --> 00:06:14,440 of information out of the database, 155 00:06:14,440 --> 00:06:17,180 including people's usernames and their passwords. 156 00:06:17,180 --> 00:06:19,500 Understanding this demonstration is not required 157 00:06:19,500 --> 00:06:22,050 for the Security+ exam, but it is quite interesting 158 00:06:22,050 --> 00:06:25,033 to see how these attacks unfold in the real world.