Are you an EPFL student looking for a semester project?
Work with us on data science and visualisation projects, and deploy your project as an app on top of Graph Search.
Concept
SQL injection
Summary
In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. Document-oriented NoSQL databases can also be affected by this security vulnerability.
In a 2012 study, it was observed that the average web application received four attack campaigns per month, and retailers received twice as many attacks as other industries.
The first public discussions of SQL injection started appearing around 1998; for example, a 1998 article in Phrack Magazine.
SQL injection (SQLI) was considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project. In 2013, SQLI was rated the number one attack on the OWASP top ten. There are four main sub-classes of SQL injection:
Classic SQLI
Blind or Inference SQL injection
Database management system-specific SQLI
Compounded SQLI
SQL injection + insufficient authentication
SQL injection + DDoS attacks
SQL injection + DNS hijacking
SQL injection + XSS
The Storm Worm is one representation of Compounded SQLI.
This classification represents the state of SQLI, respecting its evolution until 2010—further refinement is underway.
Official source
About this result
This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.
Ontological neighbourhood
Related courses (2)
COM-301: Computer security and privacy
This is an introductory course to computer security and privacy. Its goal is to provide students with means to reason about security and privacy problems, and provide them with tools to confront them.
NX-422: Neural interfaces
Neural interfaces (NI) are bioelectronic systems that interface the nervous system to digital technologies. This course presents their main building blocks (transducers, instrumentation & communicatio
Related lectures (32)
Software Security: Memory Safety and Execution Attacks
Covers memory safety, execution attacks, vulnerabilities, and defense mechanisms in software security.
Web and Software Bugs
Explores vulnerabilities in web and software applications, discussing broken access control, injection flaws, and defense strategies like DEP and ASLR.
Encapsulation: BCI
Covers the properties of Parylene, hermeticity, thin film encapsulation, conductive coatings, and electrode arrays.
Related publications (56)
Related people (10)
Related units (2)
Related concepts (12)
Vulnerability (computing)
Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.
Security hacker
A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers. Longstanding controversy surrounds the meaning of the term "hacker.
Code injection
Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate. Code injection vulnerabilities occur when an application sends untrusted data to an interpreter.