SQL Injection By: Ayman Mohamed Abdel Rahim Ali Ehab Mohamed Hassan Ibrahim Bahaa Eldin Mohamed Abdel Sabour Tamer Mohamed Kamal Eldin Jihad Ahmad Adel Majeed Hossam Salah Eldin Mostafa Presented To: Dr. Nermin Hamza

Topic Outline :  What is SQL Injection?  How does SQL Injection work?  Examples  Types Of SQL Injection  Avoidance Strategies Against SQL Injection Attacks.  References

What is SQL Injection ? SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. Most common vulnerability found in websites. Can be easily exploited due to poor coding. Even though its very common, very little attention is given to prevention of these types of attack.

How does it work ? Several website have forms where it asks for user input. Forms such as login, search, etc. Often times, user input from these forms is directly used into SQL query construction. For example: SELECT from Users WHERE user = “USER INPUT” AND password = “USER INPUT” SQL injection happens when a attacker puts a SQL statement into this forms.

Simple Attack : USERNAME : PASSWORD : Resulting Query: SELECT FROM USERS WHERE user = ‘blah‘ OR ‘1’ = ‘1’ And password = ‘blah‘ OR ‘1’ = ‘1’ Thus, attacker was able login without valid credentials. blah‘ OR ‘1’ = ‘1

Another Simple attack : USERNAME : Resulting Query : SELECT FROM USERS WHERE user = blah‘; DROP TABLE USERS; -- *Note how comment (--) consumes the final quote. *Many popular Database software do not allow multiple queries anymore. This query will cause our entire Users database to be deleted. –blah‘; DROP TABLE USERS; --

Types of SQL Injection Attacks : First Order Attack Second Order Attack Lateral Injection

First Order Attack : The attacker can simply enter a malicious string and cause the modified code to be executed immediately. Examples: - UNIONS added to an existing statement to execute a second statement - Sub-query added to an existing statement - Existing SQL short-circuited to bring back all the data (for example, adding a query condition such as OR 1=1)

Second Order Attack : The attacker injects into persistent storage (such as a table row) which is deemed as a trusted source. An attack is subsequently executed by another activity. Examples: -Suppose you have a Web-based application which stores usernames alongside other session information. Given a session identifier such as a cookie you want to retrieve the current username and then use it in turn to retrieve some user information.

You might therefore have code for an "Update User Profile" screen somewhat similar to the following: -execute immediate 'SELECT username FROM sessiontable WHERE session ='''||sessionid||'''' into username; -execute immediate 'SELECT ssn FROM users WHERE username='''||username||'''' into ssn; This will be injectable if the attacker had earlier on the "Create Account" screen created a username such as: XXX' OR username='JANE Which creates the query … SELECT ssn FROM users WHERE username='XXX’ OR username='JANE'

If the user XXX does not exist, the attacker has successfully retrieved Jane’s social security number. Sub-query added to an existing statement. The attacker can create malicious database objects such as a function called as part of an API, or a maliciously named table by using double quotation marks to introduce dangerous constructs. For example : an attacker can create a table using a table name such as "tab') or 1=1--", which can be exploited later in a second order SQL injection attack.

Lateral Injection : The attacker can manipulate the implicit function To_Char( ) by changing the values of the environment variables, NLS_Date_Format or NLS_Numeric_Characters. For Example: Using Lateral SQL Injection, an attacker can exploit a PL/SQL procedure that does not even take user input. When a variable whose data type is date or number is concatenated into the text of a SQL statement, then, contrary to popular belief, there still is a risk of injection.

The implicit function TO_CHAR() can be manipulated by using NLS_Date_Format or NLS_Numeric_Characters. You can include arbitrary text in the format model, and you do not need to include any of the “structured” elements such as Mon, hh24, and so on.

For examples : SQL> SET SERVEROUTPUT ON SQL> ALTER session SET NLS_Date_Format = '"The time is"... hh24:mi' 2 / Session altered. SQL> SELECT TO_CHAR(SYSDATE) d FROM Dual 2 / D The time is... 19:49 SQL> DECLARE 2 d DATE := TO_DATE('The time is... 23:15'); 3 BEGIN 4 -- Implicit To_Char() 5 DBMS_OUTPUT.PUT_LINE(d); 6 END; 7 / The time is... 23:15 PL/SQL procedure successfully completed.

Avoidance Strategies Against SQL Injection Attacks : Reduce the attack surface. Avoid dynamic SQL with concatenated input. Use bind arguments. Filter and sanitize input.

Reduce the attack surface : Ensure that all excess database privileges are revoked and that only those routines that are intended for end-user access are exposed. Though this does not entirely eliminate SQL injection vulnerabilities, it mitigates the impact of the attacks.

Avoid dynamic SQL with concatenated input : Dynamic SQL built with concatenated input values presents the easiest entry point for SQL injections. Avoid constructing dynamic SQL this way.

Use bind arguments : Here are high Parameterize queries by using bind arguments. Bind arguments eliminate the possibility of SQL injections and enhance performance.

Filter and sanitize input : The Oracle-supplied DBMS_ASSERT package contains a number of functions that can be used to sanitize user input and help in guarding against SQL injection in applications that use dynamic SQL built with concatenated input values. In case your filtering requirements cannot be satisfied by the DBMS_ASSERT package, you may need to create your own filter.

References : curriculum.oracle.com/tutorial/SQLInjection/html/lesson1/les01_tm_ovw. htm