SQL Injection Attack [615249]

SQL Injection Attack

BACIOIU Florentina
Security in Informatics
ISI 2

2 | P a g e
Table of Contents
List of Figures ………………………….. ………………………….. ………………………….. ………………………….. ……………. 2
Introduction ………………………….. ………………………….. ………………………….. ………………………….. ……………… 3
Characteristics ………………………….. ………………………….. ………………………….. ………………………….. …………… 3
Attack Types ………………………….. ………………………….. ………………………….. ………………………….. ………….. 3
Attacker Intent ………………………….. ………………………….. ………………………….. ………………………….. ………. 5
Manifestation and Effects ………………………….. ………………………….. ………………………….. ……………………. 5
Causes ………………………….. ………………………….. ………………………….. ………………………….. ………………….. 5
Examples ………………………….. ………………………….. ………………………….. ………………………….. ………………….. 5
Protectio n ………………………….. ………………………….. ………………………….. ………………………….. ………………… 6
Conclusions ………………………….. ………………………….. ………………………….. ………………………….. ………………. 6
Bibliography ………………………….. ………………………….. ………………………….. ………………………….. ……………… 7

List of Figures
Figure 1 SQL Injection User Input Select Example (Allardice ) ………………………….. ………………………….. ….. 4
Figure 2 SQL Injection User Input Action Example (Allardice ) ………………………….. ………………………….. ….. 4
Figure 3 SQL Rand Architecture (Boyd & Keromytis) ………………………….. ………………………….. ……………….. 6

3 | P a g e
Introduction

SQL Injection is a security attack that exploits poor -designed systems in order to pass malicious
code through the application to the database. The scope is to get access to the backend database
schema and values by producing SQL queries and actions that should not be execut ed.
The current document presents the main characteristics of the SQL Injection attack, taking into
account the type of attack and the attacker`s intentions, but also the effects and manifestation.
Concrete examples are also presented, along with several conclusions based on the
documentation.
Characteristics

The current section presents in more details the SQL Injection attack, taking into account the
attack category and the benefits of the potential attacker. The way SQL Injection works and the
main vul nerabilities that the attack exploits are also described, along with the its effects.

Attack Types

“SQL injection attacks are a type of injection attack, in which SQL commands are injected into
data -plane input in order to effect the execution of predef ined SQL commands ”.
(www.owasp.org, 2017)
Injection occurs when the user input is sent to one of the application modules to be processed
and introduced as a part of a query and then executed against the database. This is a ver y
common type of attack and was included in “ Top 10 2007 -Injection Flaws ” by OWASP.
(www.owasp.org, 2017)
There are many types of Injection, SQL being just one of the long list: “ SQL, Hibernate Query
Language (HQL), LDAP, XPath, XQuery, XSLT, XML, OS command injection ”. (www.owasp.org,
2017)
Also, the SQL injection attack is based on multiple sub -types attacks that can be applied to a system, based
on different ways to do the actual injection (Halfond, Viegas, & Orso) :
 Injection through user input – this is the simplest and common SQL Injection attack, being
available for a larger category of attackers because of the ease of implementation.

 Injection through cookies – cookies are a way of storing user input variables to be used to a later
time; however, it represents a vulnerability, as they can be altered and restored later and used as
user input and producing the same result as Injection through user input.

4 | P a g e

 Injection through server variables – server variables are a collection of HTTP, network headers,
and environmental variables , used for several scopes, such as logging and identifying browser
preferences; they represent a vulnerability because malicious strings ca n be placed directly into
the headers, and they are issued directly into the database.

 Second -order injection – this type is harder to prevent, as it is based on injecting data at a later
time, not when user input is added for the first time.
As the database management systems execute all valid queries received from the business side, attackers
can exploit this vulnerability by entering strings to be included in the statements, based on their scope.
Figure 1 and Figure 2 are examples of Injection usin g user input. The first image shows the malicious string
that could be added to the Customer Name field, being used for other reason that the intended one. The
attacker could try different options, his intent being to get information from the database abou t the
application customers.

Figure 1 SQL Injection User Input Select Example (Allardice )

Figure 2 shows a malicious action that the attacker is trying to apply to the database – drop an entire table
from the database with all the containing data. As the input label is Customer Number, the table name
“Orders” can be easily guessed, especially if the application provides a way of placing orders . Other table
names can be guessed and tried until a valid table will be found and dropped.

Figure 2 SQL Injection User Input Action Example (Allardice )

5 | P a g e
Attacker Intent

The main intent of an attacker is to “obtain unrestricted access to the databases under lying the
applications and to the potentially sensitive information these databases contain” (Halfond, Viegas, &
Orso)
More specific, an attacker could follow the next objectives with SQL Injection (Halfond, Viegas, & Orso) :
 Identifying injectable parameters – needed to find the user input fields that are vulnerable to
injection.
 Performing database finger -printing – finding the database type and version.
 Determining database schema – the intent is to co llect all possible information: table names,
column names, data types.
 Extracting data – the most common intent, as sensitive data is valuable and desired by attackers
for various scopes.
 Adding or modifying data – altering and corrupting data.
 Performing denial of service – shutting the database and denying user access to the application.
 Evading detection – used to avoid audit and detection mechanism implemented within the
system.
 Bypassing authentication – impersonate other users and use their rights and privileges.

Manifestation and Effects

SQL Injection attacks lead to identity theft, loss of confidential information, and fraud . Taking control of
and corrupt the system that hosts the Web application are other common malicious effects.

Causes

Insufficient validation of user input is the main reason why SQL Injection is so common among web
applications. As a result, an attacker changes the intended effect of an SQL query by inserting new SQL
keywords or operators into the query .
Examples

 “TeamBerserk ” attackers group have stolen $100,000 by getting and using user names and
passwords client banking accounts from Sebastiancorp.com with SQL Injection attack. (Kumar,
2013)
 In July 2012 , 450,000 login credentials were stolen from Yahoo! using SQL Injection. (Ngak, n.d.)

6 | P a g e
Protection

– Active input data encoding ; (Janot & Zavarsky)
– Tainting labels all input data as ‘suspicious’;
– Query pre -modeling ;
– IPS/IDS and application firewalls ;
– New query building paradigms ;
– Input validation ; (www.owasp.org, 2017)
– Use strongly typed parameterized query APIs ;
– Enforce least privilege ;
– Avoid detailed error messages ;
– Show care when using stored procedures ;
– Do not use dynamic query interfaces ;
– Do not use simple escaping functions ;
– Watch out for canonicalization errors ;

– SQLrand System – a proposed solutio n for Randomized SQL;

Figure 3 SQL Rand Architecture (Boyd & Keromytis)

Conclusions

SQL Injection is a common attack among web applications and is based on adding malicious strings in the
user inputs in order to get information about the databas e schema and data.
The reason s that stands behind the attacks are
The main cause of SQL Injection is the lack of user input validation, a basic and simple feature that should
be implemented for every system.

7 | P a g e
Bibliography
Allardice , S. (n.d.). Foundations of Programming: Databases. Retrieved from www.lynda.com:
https://www.lynda.com/Programming -Foundations -tutorials/Foundations -Programming –
Databases/412845 -2.html
Boyd, S., & Keromytis, A. (n.d.). SQLrand: Preventing SQL Injection Attacks. Retrieved from
http://web1.cs.columbia.edu/: http://web1.cs.columbia.edu/~angelos/Papers/sqlrand.pdf
Halfond, W., Viegas, J., & Orso, A. (n.d.). A Classification of SQL Injection Attacks. Retrieved from
pdfs.seman ticscholar.org:
https://pdfs.semanticscholar.org/81a5/02b52485e52713ccab6d260f15871c2acdcb.pdf
Janot, E., & Zavarsky, P. (n.d.). Preventing SQL Injections in Online Applications:. Retrieved from
www.owasp.org: https://www.owasp.org/images/5/57/OWASP -AppSec EU08 -Janot.pdf
Kumar, M. (2013, October 21). The Hacker News . Retrieved from http://thehackernews.com/:
http://thehackernews.com/2013/10/hacker -stole -100000 -from -users -of.html
Ngak, C. (n.d.). Yahoo reportedly hacked: Is your account safe? Retrieved from w ww.cbsnews.com:
http://www.cbsnews.com/news/yahoo -reportedly -hacked -is-your -account -safe/
www.owasp.org. (2017, 01 12). SQL Injection . Retrieved from www.owasp.org:
https://www.owasp.org/index.php/SQL_Injection
www.owasp.org. (2017, 01 12). Top 10 2007 -Injection Flaws . Retrieved from www.owasp.org:
https://www.owasp.org/index.php/Top_10_2007 -Injection_Flaws