Since 1 is always equal to 1 and the attacker has used the Boolean operator OR, every
row is going to return a
true
. The Boolean OR says that if either side of the OR is true,
the entire statement is true. This means that every row is going to be evaluated
against that query, and the 1 = 1 is always going to return a
true
so the entire state‐
ment will evaluate to true and the row will be returned.
This is a simplistic example. Often mitigations are in place for simple attacks like this,
but the concept remains the same. The attacker submits SQL into a form field some‐
where, expecting that what is entered will make it all the way to the database to be
executed there. That’s a SQL injection attack—injecting SQL statements that are syn‐
tactically correct and accurate into the input stream, hoping to have that SQL exe‐
cuted by the database server to accomplish some result. Using a SQL injection attack,
the attacker could insert data, delete data, gain access to the application by forcing a
bogus login to return
true
, or perhaps even get a backdoor installed on the target
machine.
XML Entity Injection
At their core, all injection attacks are the same. The attacker is sending something
into the input stream, hoping that the application will process it in the way the
attacker wants. In this case, the attacker is using the fact that applications will often
use XML to transmit data from the client to the server. Applications do this because it
allows for structured, complex data to be sent in a single bundle rather than as a para‐
meterized list. The problem comes with how the XML is processed on the server side.
Asynchronous JavaScript and XML (Ajax) is how web applications
get around the fact that HTTP and HTML alone, as web servers
were originally intended to work, require the user to initiate a
request. This happens by going directly to a URL or clicking a link
or a button. Application developers needed a way for the server to
be able to send data to the user without the user initiating the
request. Ajax handles this problem by placing JavaScript in the
page that then runs inside the browser. The script handles making
the requests in order to keep refreshing the page if the data on it is
prone to constant change.
These injection attacks end up working because of something called an
XML external
entity
(XXE). In the XML being sent to the server, there is a reference to something
within the operating system. If the XML parser is improperly configured and allows
these external references, an attacker can get access to files or other systems inside the
network.
Example 8-1
shows a sample of XML that could be used to return a file on
the system that’s handling the XML.
