A Social Media Security Model

There are many ways to explain SQL Injection, and the “best” way is clearly
determined by who you’re talking to. For somewhat technical folks, I like
my friend Steve’s explanation, I use the explanation below.

Two Key Concepts

SQL Injection is a computer security vulnerability where two bad things are
happening at once: the Confused Deputy problem and the confusion between
Data and Commands.

1. Confused Deputy
   is a security problem where someone wants to accomplish something they
   don’t have the permission to do, and they find a way to trick someone
   who does have the authority into doing it for them. A good
   example would be sneaking a gun into a bag of an airport worker (who
   bypasses security) and then retrieving it later behind the security
   barrier. You got the gun past security by using the authority of the
   airport worker.

2. The confusion of Data vs. Commands is easy enough to see with a
   couple of examples. We give computers lots of different inputs:
   sometimes we give them data: “My address is ‘123 Maple Street'”, and
   sometimes we give them commands, like, “print this photo” or “send this
   file”. The problem arises when the computer thinks it’s getting
   data (like an address), but it really gets a command (like ‘delete the
   hard drive’).

SQL Injection is a combination of these two issues.

The Courtroom Analogy

The best way to conceptualize this is through the analogy of a courtroom.
Imagine that you have present a defendant and a judge, and that the first
thing the judge does at the beginning of a case is read the roster where the
defendant wrote his name. He says:

Calling $DEFENDANT_NAME.

So if his name is Ender Wiggin, the judge would say:

Calling…Ender Wiggin.

Fair enough. But what happens if Ender writes his name as, “Case Dismissed”?

Get a weekly breakdown of what’s happening in security and tech—and why it matters.

Then, when the judge does his regular speil, he’d say:

Calling…Case Dismissed.

Ender then smiles and walks out of the courtroom.

This is confusion of Data and Commands because the judge thought he was
reading a name (data) and instead issued a command (dismiss
the case), and it’s the Confused Deputy problem because Ender is not himself
able to dismiss it–he had to get the judge to do it for him.

Real World

It’s the same with computers and web pages.

1. There is often confusion between Data and Commands in a web page that
   asks for an address (data) but receives a SQL command instead (e.g.: get
   me stuff from your database)

2. Confused Deputy is in play because you (the web user) are not allowed to
   ask the database direct questions–but the web page you just gave your
   command to is

Either way, Ender gets what he wants: out of jail or access to data he’s not
supposed to have. Slippery bugger.

Additional Links

1
This
is an incredible explanation recommmended by my friend Joel.