The Anatomy of a Web Application – SQL Injection
A web application is the target of a SQL injection attack, so you must understand how these apps work. A web app can be described simply as an application that is accessed through a web browser or application (such as the apps on a smartphone). However, we need to be a little more detailed with our description in order to better understand SQL injection. In essence, a web application works by performing these steps:
- The user makes a request through the web browser from the Internet to the web server.
- The web server accepts the request and forwards it to the applicable web application server.
- The web application server performs the requested task.
- The web application accesses the entire database available and responds to the web server.
- The web server responds back to the user once the transaction is complete.
- The requested information appears on the user’s monitor. The details involved in these steps can change depending on the application involved.
Server-side vs. Client-side
First let’s look at the type of technologies involved in browsing and working with the Web. They mainly fall into two areas: client-side and server-side. Server-side technologies are those that run and are executed on the server itself before delivering information to the requester. Client-side technologies are those that run within the browser or somewhere on the client side. For the purposes of our discussion, we will not be covering client-side here.
Server-side technologies come in many varieties and types, each of which offers something specific to the user. Generally, each of the technologies allows for the creation of dynamic and data-driven web applications. There are a wide range of server-side technologies that you can use to create these types of web applications, among them:
- SQL Server
- IBM DB2
All of these technologies are powerful and offer the ability to generate web applications that are extremely versatile. Each also has vulnerabilities that can lead to them being compromised, but this chapter is not about those. This chapter, like SQL injection, is designed to target the code that is used to make the technologies access a database as part of its functioning. This code, when incorrectly crafted, can be scrutinized and result in vulnerabilities uncovered and exploited.