SQL Injection Attack as a Threat of Web Portals

Abstract

SQL injection attack (CERT, 2002) is one of the most prevalent security problems faced by today’s security professionals. It is today the most common technique to indirectly attack Web-powered databases and disassemble effectively the secrecy, integrity and availability of Web portals. The basic idea behind this insidious and pervasive attack is that predefined logical expressions within a pre-defined query can be altered simply by injecting operations that always result in true or false statements. With this simple technique, the attacker can run arbitrary SQL queries and thus s/he can extract sensitive customer and order information from e-commerce applications, or she/he can bypass strong security mechanisms and compromise the back-end databases and the file system of the data server. Despite these threats, a surprisingly high number of systems on the internet are totally vulnerable to this attack.