SQL Injection

-
Week Two ↓
TL;DR
SQL commands are used to query database. These queries may be used to relate to database in certain ways that are malicious. On the client side, data can be manipulated, passwords can be changed, access control can be bypassed.

SQL (Structured Query Language) injection is an attack that allows for manipulation of the database by using malicious SQL queries as a user input. Any web application or website that connects to the database can be vulnerable to SQL injection attack. SQL Database Management Systems include; MySQL, Oracle. A successful attack can lead to attacker having access to database information like; user details, credit card information. Attackers could also gain administrative privileges; tables can also be deleted from the database; data can be modified.  SQL injection attack is top of the list of threats to web applications on OWASP (Open Web Application Security Project) top 10 list as of 2017 (Acunetix, n.d). 



HOW SQL INJECTION ATTACK IS PERFORMED

For this attack to work, an attacker must test the website or web application for the vulnerable parts or sectors. These are mainly the parts that accepts user inputs and makes request to the database and query the database. Once the attacker finds the vulnerable parts, he/she creates the malicious payload in the form of SQL commands. These commands are executed in the database and outputs the result according to the careful crafting of the attacker.

SQL commands are used to manage web applications or websites by performing tasks like; storing data, retrieving, modifying, deleting data. There are cases where SQL commands can be used to run operating systems. A successful SQL injection attack can cause serious issues and far reaching impact on business in a negative manner (Friedl, 2017).

·         Some SQL servers grants access to operating system; this may be due to the database administrator configuration. A successful SQL injection attack on this gives the attacker access to the main operating system and the attacker is free to gain any privilege he wants.

·         A successful SQL injection allows for selecting and outputting data from the database.

·         Alteration of data and adding of data in the database is allowed in SQL server, a successful attack could let the attacker alter user information and also add new information that were not present before in the database.

·         A successful SQL injection attack can be used to find user credentials and this could lead to impersonation of the user.

·         Deletion of data in the database occurs when SQL injection attack is successful, tables can be dropped from the database which cannot be retrieved.


TYPES OF SQL INJECTION
There are several types of SQL injection that can be used to cause serious damage to the user application or web application. By using this, attackers can bypass authentication, access and modify data, delete data within a database, and also in some extreme cases can be used to execute operating system level commands and evade firewall.

Union-based Injection
This technique uses union statement in SQL and it combines with two or more select statements and outputs the result.

Error-Based Injection
This technique relies on error messages that is being outputted by the database to get information about the structure of the database.

Boolean Based Injection
This technique relies on when a query is being sent to the database, the application the being forced to return request depending on the query being true or not.

Time-Based Injection
This technique depends on sending a query to the database, after the query is sent, it forces the database to wait for some specified period of time before responding to the request being sent.

MITIGATION AGAINST SQL INJECTION
There are different ways by which SQL injection attacks can be mitigated. This can range from sanitizing user input, to using firewall and limiting privileges.
·         One of the first steps for mitigating against user input is user input sanitization. This is when specific code is written to check whatever the user is inputting and sanitize or clear them of illegitimate inputs before processing them into the database. The developer could also parametrize queries when developing the user web application. This means that the specific parts of the SQL query should be treated as though they were user input (Oriyano, 2016).
·         Another way to mitigate against SQL injection attack is to apply the use of web application firewall to the web application or website. This helps in protecting the web application against any form of SQL injection or related attacks as well as other online threats. This relies on list of constantly updated special signatures that allows it to automatically remove dangerous and malicious SQL queries
·         Another area of possible mitigation against SQL injection is on error messages displayed to users. Database errors or SQL errors messages should not be displayed to users using the application or the messages could be limited or generic in a way such that it does not give out too much information about the SQL server. Error messages can also be logged to a file. Instead of displaying the error messages for the user to see, the messages could be logged to a file on the server which only the SQL server administrator could have access to and read it.

EXAMPLES OF SQL INJECTION CODE
' OR '1'='1' --
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1'
' OR '1'='1' %16
SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'



REFERENCES

Friedl, S. (March, 2017). SQL Injection Attacks by example. Retrieved from http://www.unixwiz.net/techtips/sql-injection.html

Sean-Philip Oriyano. (April, 2016). CEH v9: Certified Ethical Hacker Version 9 Study Guide, Edition 3.

Acunetix. (n.d). What is SQL Injection (SQLi) and how to prevent it. Retrieved from https://www.acunetix.com/websitesecurity/sql-injection/





Video Credit: Imperva. April 29, 2009
 

Comments

Post a Comment

Popular posts from this blog

INTRODUCTION TO MY BLOG

-
My blog touches on issues ranging from security threats, vulnerabilities and exploits to mitigation techniques. Some new technologies pertinent to cybersecurity are also discussed extensively. We take a look at why the attack is potent and how the attack is carried out in real-time.  It is important to be aware of how an attacker could attempt to gain unauthorized access to information as well as a plethora of other attack vectors . One major part of information security is identifying and implementing countermeasures to respond to these threats. It is important for us as security professionals to not only identify threats but provide methods to control the risks identified. Cultivating this habit would go a long way in helping us to be proactive while securing information.
Read more

XML EXTERNAL ENTITIES (XXE) INJECTION ATTACK

-
Image
Week Five ↓ TL;DR According to Open Web Application Security Project (OWASP), XXE Injection, a type of attack against an application that parses XML input, was one of the top 10 web application security risks in 2017. There are certain consequences that could result from this risk. We also look at how to detect and mitigate this risk. XML External Entities (XXE) injection also known as XXE injection attack is a form of attack that is based on Server-Side Request Forgery (SSRF). A successful XXE injection attack can cause a lot of harmful damage or consequence to businesses and also to the web application or website running on XML, thereby potentially leading to Denial of Service (DoS) attack with recursive entity expansion, access to local, remote content through file upload functionality, hijack of services running on the server application, remote code execution, port scanning in some advanced cases, ability for the attacker to run operating system level commands. XML ...
Read more