How to do SQL injection attack in Node.js
Introduction
SQL injection is a common security vulnerability in web applications that allow an attacker to execute malicious SQL queries by manipulating user input. To demonstrate an SQL injection vulnerability in a Node.js application, we can use the following example:
Suppose we have a simple Node.js application that retrieves user data from a MySQL database based on user input:
const mysql = require('mysql');
const express = require('express');
const app = express();
const db = mysql.createConnection({
host: 'localhost',
user: 'root',
password: 'password',
database: 'mydb'
});
app.get('/users', (req, res) => {
const userId = req.query.id;
const query = `SELECT * FROM users WHERE id = '${userId}'`;
db.query(query, (err, results) => {
if (err) throw err;
res.send(results);
});
});
app.listen(3000, () => {
console.log('Server started on port 3000');
});
In this example, we have an endpoint /users that retrieves user data from the users table in a MySQL database based on the id parameter passed in the request. The id parameter is used in an SQL query without any validation or sanitization, which makes the application vulnerable to SQL injection attacks.
For example, an attacker can send a malicious request like http://localhost:3000/users?id=1'; DROP TABLE users; -- which would result in the following SQL query being executed:
SELECT * FROM users WHERE id = '1'; DROP TABLE users; -- '
This query would not only retrieve the data for user with id 1, but also delete the entire users table due to the appended DROP TABLE statement. The -- is used to comment out the remaining part of the original query, which prevents any syntax errors from occurring.
To prevent SQL injection attacks, it’s important to validate and sanitize user input before using it in SQL queries. One way to do this in Node.js is to use parameterized queries, which allow for user input to be passed as parameters to the query instead of directly embedding them in the SQL string. Here’s an example of how to use parameterized queries in the above example:
app.get('/users', (req, res) => {
const userId = req.query.id;
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId], (err, results) => {
if (err) throw err;
res.send(results);
});
});
In this modified example, we use a parameterized query by replacing the user input with a question mark ? placeholder in the SQL query. We then pass the user input as an array to the db.query() method, which ensures that the input is properly sanitized and prevents SQL injection attacks.
Leave a Comment