The most commonly used attack mechanism on a databases based login system is the so called “SQL insertion attack”. Many login validation functions will validate the access through a query similar to the one below:
"SELECT COUNT(login)
FROM usertable
WHERE login = ‘” & login & “’ AND password = ‘” & password & “’”
Hereby, the login and password are the values as they are retrieved from the user input textboxes. If the combination login/password is found in the database, the result will not be 0, and the user has access, otherwise, he has not.
I bet 70%-80% of the webdevelopers simply base there login system on a similar query. The message to these developers is: WATCH OUT. Your site is as secure as a safe with an open door ! Why? As long as the user is a computer illiterate, you are safe. However, less and less people are. When you are dealing with a user with advanced computer knowledge, or someone with malicious intentions (both are not to be tangled up!), your login system is just a little annoyance.
Suppose a user trying to get in has not valid login/password, but wants access to your system. He could use all possible combinations of usernames and passwords until he gets lucky. This is called a “stupid hacker”. The number of possible combinations is way to large to achieve a result in an acceptable amount of time. This is not a very practical solution.
Suppose the user is smart. Instead of the trial-and-error method, he has a more advanced approach. Suppose he inserts this data in the login screen:
- Login : ‘ OR 1=1 OR login=’
- Password : ‘ OR 1=1 OR password=’
This would result in this query:
SELECT COUNT(login)
FROM usertable
WHERE login = ‘’ OR 1=1 OR login = ‘’ AND
password = ‘’ OR 1=1 OR password = ‘’
The result of this query is… the number of users in the database. If the check only refuses access if the result is 0 (is no user is found), the user has access to the system.
This is an example of an “SQL Injection attack”. The number of websites vulnerable to this type of attack is innumerable. In this example, I used a query that provides access to the website. However, the malicious user might as well delete information from the database, stop your database server, retrieve information from the database (login names, passwords, credit card details, …), create a new account without knowledge of the administrator, … Not scared yet? If the online system accesses your business software/database directly, he can mess up every data in your database. For small companies without a very decent backup and recovery system, this can cause bankruptcy. For better equipped companies, it can also harm there business (data between the last backup and the current moment can be lost). This is under the assumption the problem is discovered immediately. If the damage is not too visible to the company, it might well take weeks or months before it is discovered. Think about these consequences for your company in case this happens.