SQL Injection Attacks S Vinay Kumar, 07012D0506
Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion
What is a SQL Injection? The ability to inject SQL commands into the database engine through an existing application
Classification of Attacks Identifying Database Finger-Print Identifying Injectable Parameters Discovering Database Schema Bypassing Authentication Extracting/Modifying Database Data Downloading/Uploading File Executing Remote Commands Escalating Privilege
Attack Techniques
1.Tautology : Exploit where clause Usual login Query: SELECT * FROM acct WHERE login = 'raju' AND password = '123' JSP login query syntax var sql = "SELECT * FROM users WHERE login = '" + usr + "' AND password = '" + pwd + "'";
Injecting through input string usr = ' or 1=1 – – pwd = anything Final query would look like this: SELECT * FROM acct WHERE username = ' ' or 1=1 – – ' AND password = 'anything'
2.Piggy-backed Query: Injecting through input string usr = xyz pwd = 0;drop table users Final query would look like this: SELECT * FROM acct WHERE username = ' xyz ' AND password = 0;drop table users
3.Union Query: To retrieve specific information Injecting through input string usr = ' UNION SELECT cardNo from CreditCards where acctNo = pwd = anything Final query would look like this: SELECT * FROM acct WHERE username = ‘ ‘UNION SELECT cardNo from CreditCards where acctNo = ’AND password = anything
4.Malformed Query: Also called Second-order Injection Injecting through input string usr = xyz pwd = convert (int,(select top 1 name from sysobjects where xtype = ‘u’)) Final query would look like this: SELECT * FROM acct WHERE username = ‘xyz‘ AND password = convert (int,(select top 1 name from sysobjects where xtype = ‘u’))
SQL Server may return the following error: “Microsoft OLE DB Provider for SQL Server (0x80040E07) Error converting nvarchar value ’CreditCards’ to a column of data type int
5.Inference Based Attacks: Also Blind Injection Injecting in input string usr = legalUser ‘ AND ASCII(SUBSTRING ((select top 1 name from sysobjects ), 1,1 )) >X WAITFOR pwd = anything Final query would look like this: SELECT * FROM acct WHERE username = ‘legalUser ‘ AND ASCII(SUBSTRING ((select top 1 name from sysobjects ), 1,1 )) >X WAITFOR AND password = anything
6.Alternate Encodings: Injecting through input string usr = pwd = 0; exec(char(0x f776e)) Final query would look like this: SELECT * FROM acct WHERE username = ' ' AND password = 0; exec(char(0x f776e)) Shutdown cmd
Prevention Techniques
1. Use Parameterized Queries Separates data from query Allow creation of static queries with bind variables
String custname = request.getParameter("customerName"); // perform input validation on custname to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( );
2. Customized Error Messages Knowing database schema makes attacker’s job easier. Avoid display detailed error messages and stack traces to external users.
3.White List Based Validation Involves defining exactly what IS authorized Allow input within well-defined set of safe values –By defining a very strong validation pattern Implement stringent "known bad" filters –Eg: Reject "select", "insert", "update", "shutdown", "delete", "drop", "--", “’“
4.Limiting Privileges Admin type access rights to the application accounts must be avoided Create a view that limits access to that portion of the data
5.Other preventions Validate and filter the input data using strong Regular expression patterns System Stored Procedure Reduction Encrypting Sensitive Data
Conclusion Present day development is more focused on Web Applications so there is an urgent need for educating the developers & Students on SQL Injection thereby allowing programmers and system administrators to understand the attacks more thoroughly, more attacks will be detected and more countermeasures will be introduced into the systems
Thank You Queries ?