View and submit bids for ongoing refinery projects.
12
Approved Projects
Track the status of your awarded contracts.
8
Performance Analytics
Review your historical performance data.
High
Notifications
Important updates and new tender alerts.
5
Upload Documents
Securely upload compliance and tender documents.
Ready
Support
Contact our support team for assistance.
Online
SQL Injection Demonstration
ProcureNet Vendor Login
Try: admin'-- for username
Behind the Scenes: The Vulnerability
1. The Vulnerable Server-Side Code:
// (Simplified server-side code example, e.g., Node.js with SQL)
const username = req.body.username; // User input directly
const password = req.body.password;
// VULNERABLE LINE: Concatenating input directly into the SQL string
const sqlQuery = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "';";
// In a real app, this query would be executed against the database
// e.g., database.query(sqlQuery);
Problem: The red line shows user input (`username`) being directly inserted into the SQL query string. This is called **string concatenation** and is the root cause of SQL Injection.
2. How 'admin'-- Exploits It:
-- If user enters: admin'--
-- The database receives this query:
SELECT * FROM users WHERE username = 'admin''-- AND password = 'any_password';
The first ' (single quote) you type closes the username field's quote.
The `--` (double hyphen) is a SQL comment. It tells the database to ignore everything that follows on that line, including the original password check.
Result: The query becomes `SELECT * FROM users WHERE username = 'admin'`, effectively logging you in as 'admin' without needing a password.
3. The Secure Way: Prepared Statements
// (Secure server-side code example)
const username = req.body.username;
const password = req.body.password;
// SECURE WAY: Using placeholders (?) and parameters
const sqlQuery = "SELECT * FROM users WHERE username = ? AND password = ?;";
// Database driver handles parameter binding safely.
// Input is treated as data, never as executable code.
database.execute(sqlQuery, [username, password]);
With Prepared Statements, placeholders (`?`) are used in the query. The user input is passed separately as parameters. The database understands these parameters are *values*, not part of the SQL command, preventing injection.
Unauthorized Access Granted!
Welcome, Attacker. You have successfully bypassed the login and gained access to sensitive data.
SQL Injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It allows the attacker to view data that they are not normally able to retrieve, or even modify or delete data, and in some cases, issue commands to the operating system.
In this demonstration, the attacker exploited a vulnerable login form on a simulated industrial platform by injecting a malicious string into the username field. This manipulated the database query, allowing them to bypass authentication and access highly confidential operational data.
How to Protect Against SQL Injection
Prepared Statements (Parameterized Queries):
This is the most effective defense. Instead of directly embedding user input into SQL queries, prepared statements treat user input as data, not as executable code. The database engine then handles the input safely.
// Example (conceptual, not runnable JS)
// const username = userInput;
// const password = userPass;
// const query = "SELECT * FROM vendors WHERE username = ? AND password = ?";
// database.execute(query, [username, password]); // Parameters are sent separately
Input Validation:
Validate and sanitize all user-supplied input on both the client-side (for user experience) and, more importantly, the server-side. This includes checking data types, lengths, formats, and escaping special characters.
Principle of Least Privilege:
Configure database users with the minimum necessary permissions. If an attacker gains access, their capabilities will be limited, reducing the potential damage.
Web Application Firewalls (WAFs):
A WAF can help filter and block malicious traffic, including common SQL injection patterns, before they reach your application.
Error Handling:
Avoid displaying verbose database error messages to users, as these can provide valuable information to an attacker. Log errors internally instead.
Regular Security Audits & Penetration Testing:
Periodically review your code and conduct penetration tests to identify and fix vulnerabilities before they can be exploited by malicious actors.