Sql injection

1. HASHMI SAFWAN SQL Injection

2. HASHMI SAFWAN Table of Contents 1. SQL Injection.................................................................................................................................. 1 1.1 What is SQL?..........................................................................................................1 1.2 What is SQL Injection?........................................................................................... 1 1.3 How Common Is It..................................................................................................1 1.4 Valnerable Applications.......................................................................................... 2 1.5 How Does SQL Injetion Work ...............................................................................2 1.6 The Power of ' (Single Qoute)................................................................................4 1.7 SQL Injection Characters........................................................................................5 1.8 Impact of SQL Injetion ........................................................................................... 5 2. Classification of SQL Injections Attacks .......................................................................6 2.1. Classification of SQL Injection Attacks .................................................................6 3. Preventing SQL Injections Attacks.................................................................................7 3.1. Novel Model for Preventing SQLIA .......................................................................7 3.2 . Pattern Matching Alogorithm ...................................................................................8 3.3 . SQLrand Architecture............................................................................................ 9 3.4 . Comparative analysis of All Existing Models ............................................................ 10 4. SQL Injections Attacks.................................................................................................... 11 5. SQL Ijnection Conclusion .............................................................................................. 13 6. References........................................................................................................................ 14

3. HASHMI SAFWAN List of Figures Fig 1.1 High Level Structure of Crypton ............................................................................2 Fig 1.2 Data Representation Array.......................................................................................3 Fig 1.3 Byte-Wise Substitution ...........................................................................................4 Fig 1.4 Byte-Wise Permutation(a) .......................................................................................4 Fig 1.4 Byte-Wise Permutation(b) .......................................................................................5 Fig 1.5 Colum to Row Transposition ..................................................................................5 Fig 1.6 Key Scheduling........................................................................................................5 Fig 1.7 Minimum Diffusion Patterns ..................................................................................6

4. HASHMI SAFWAN List of Table Table 1.1 Table User(a).......................................................................................................4 Table 1.1 Tables Users(b) ...................................................................................................5 Table 1.1 Classificationg of SQL Injection Attacks............................................................5 Table 3.1 Comparative Analysis of Existing Models .........................................................4

5. HASHMI SAFWAN List of Figures Fig 3.1 Web Architecture ....................................................................................................2 Fig 3.2 Tokenizatuon Architecture.......................................................................................3 Fig 3.3 Pattern Architecture ................................................................................................4 Fig 3.4 SQLrand Architecture..............................................................................................4

6. HASHMI SAFWAN Abbreviations and Acronyms SQL Structured Query Language ANSI American National Standards Institute SQLIA SQL Injection Attack SBSQLID Service Based SQL Injection Detection RDUD Rule based Detection of SQL Injection Attack SANIA Syntactic and Semantic Analysis for Automated Testing against SQL Injection

7. HASHMI SAFWAN 1. SQL INJECTION SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data [1]. It's a serious vulnerability, which can lead to a high level of compromise - usually the ability to run any database query. 1.1 What Is Sql? SQL stand for Structured Query Language [2][3]. It allows us to access a database. SQL is based on ANSI and ISO standard Computer Language. The most current standard is SQL99. SQL statements are used to perform tasks such as retrieve, create, update or delete data from a database. Some common relational database management systems that use SQL are: Oracle, MS SQL Server, MS Access, Ingres, DB2, Sybase, Informix, etc. Although there are many versions of SQL language, However, the standard SQL commands such as "Select", "Insert", "Update", "Delete", "Create", and "Drop" can be used throughout all database with little changes. All of the core functions, such as adding, reading and modifying data, are the same. 1.2 What Is Sql Injection? The ability to inject SQL commands into the database engine through an existing application. It is an attack on web-based applications that connect to database back-ends in which the attacker executes unauthorized (and unexpected) SQL commands by taking advantage of insecure code and bad input validation. It is very often done on systems connected to the Internet because it allows to completely bypass the firewall. SQL injection attacks can be used to steal information from a database from which the data would normally not be available and to gain access to host computers through the database engine. 1.3 How Common Is It? The principle issue with SQL Injection is that the weakness is begun when the web application is coded. Most software engineers are still not mindful of the issue. Instructional exercises and demo "layouts" on the Internet and even some that have been transported with business databases advance building inquiries by connecting strings, which is the primary hotspot for SQL Injection vulnerabilities.

8. HASHMI SAFWAN 1.4 Vulnerable Applications All SQL databases and programming dialects are possibly vulnerable. It is an input validation problem that must be considered and customized by the web application engineer. Programming languages are potentially vulnerable: ➢ MS SQL Server, Oracle, MySQL, Postgres, DB2, MS Access, Sybase, Informix, etc Accessed through application developed using: ➢ Perl and CGI scripts that access databases ➢ ASP, JSP, PHP ➢ XML, XSL and XSQL ➢ Java Script ➢ VB, MFC, and other ODBC-based tools and APIs ➢ DB specific Web-based applications and API’s ➢ Reports and DB Applications ➢ 3 and 4GL-based languages (C, OCI, Pro*C, and COBOL) 1.5 How Does Sql Injection Work? A typical method of validating users in an application is to by checking if the user and password combination exists in the user table. SELECT * FROM users WHERE USERNAME = 'SAFWAN' AND PASSWD = ' Admin! @#' The above statement will bring one record if there is one row where the USERNAME = 'SAFWAN' AND PASSWD = ' Admin! @#'. USERID USERNAME PASSWD ROLEID STATUS 1 SAFWAN Admin! @# 1 ACTIVE 2 ZIAD ZAID@@#$3 1 ACTIVE 3 WAQAR ABC@ASDFJ23 2 ACTIVE Table 1.1 User Table Injecting through Strings If attacker insert username as USERNAME = ' or 1=1 – – and password as PASSWD = anything. Then final query would look like this SELECT * FROM users WHERE username = ' ' or 1=1 AND password = 'anything'

9. HASHMI SAFWAN By inserting a single quote, the username string is closed and the final concatenated string would end up interpreting or 1=1 as part of the command. The -- (double dash) is used to comment everything after the or 1=1 and avoid a wrong syntax error. This could also have been achieved by inserting the following command: ' or '1'='1 By injecting any of the two commands discussed, an attacker would get logged in as the first user in the table. This happens because the WHERE clause ends up validating that the username = ' ' (nothing) OR 1=1 (OR '1'='1' in the second statement) The first conditional is False but the second one is True. By using OR the whole condition is True and therefore all rows from table users are returned. All rows are not null therefore the log in condition is met. If the username field is Numeric as in bellows table USERID PIN ROLEID STATUS 12345678 1111 1 ACTIVE 78945612 1113 1 ACTIVE 35255468 0555 2 ACTIVE Table 1.2 User Table Then the SQL command for retrieving record will be. SELECT * FROM USER WHERE USERID = 12345678 AND pin = 1111 If attacker insert username as USERID = 1 or 1=1 # and PIN as PIN = anything. Then final query would look like this. SELECT * FROM User WHERE USERID = 1 Or 1=1 # AND Pin = 1111 Injecting into a numeric field is very similar. The main difference with string injection is that in numeric injection the first number is taken as the complete parameter (no need to close it with a single quote) and all the text after that number will be considered as part of the command. In this case the # (number sign) is used instead of the -- (double dash) because we are injecting into a MySQL database

10. HASHMI SAFWAN 1.6 The Power Of ' (Single Quote) The single quote character closes the string field and therefore allows all of the following text to be interpreted as SQL commands. To prevent this, a lot of the SQL Injection quick solutions found on the Internet suggest escaping the single quote with a double quote (that is the standard way of escaping single quotes in SQL99). This is only a half remedy though because there are always numeric fields or dates within forms or parameters that will remain vulnerable. 1.7 Sql Injection Characters • ' or " character String Indicators • -- or # single-line comment • /*…*/ multiple-line comment • + addition, concatenate (or space in url) • || (double pipe) concatenate • % wildcard attribute indicator • ? Param1=foo&Param2=bar URL Parameters • PRINT useful as non-transactional command • @variable local variable • @@variable global variable • wait for delay '0:0:10' time delay 1.8 Impact of Sql Injection • Leakage of sensitive information. • Reputation decline. • Modification of sensitive information. • Loss of control of db server. • Data loss. • Denial of service. Graph 1.1 Impact of SQL Injection

11. HASHMI SAFWAN 1.9 Latest Sql Injection Statistics in 20016 SQL Injection logs ratio from one monitored network in the past 60 days (over 8000 events): Fig 1.2 SQL Injection Log Ratio [4] Fig 1.3 Identification of the attacking sources in the TP events [4]

12. HASHMI SAFWAN Fig 1.4 Distribution by country of the attacking sources in the TP events [4]

13. HASHMI SAFWAN 2. CLASSFICATION OF SQL INJECTION ATTACKS 2.1 Classification of SQL Injection Attacks CLASSIFICATION METHODS TECHNIQUES/ IMPLEMENTATION 1 Intent • Identifying injectable parameters • Extracting Data • Adding or Modifying Data • Performing Denial of Service • Evading detection • Bypassing Authentication • Executing remote commands • Performing privileges escalation See ‘Input type of Attacks’ 2 Input Source • Injecting through cookies Malicious strings in web form. Both Get and Post Method • Infecting through cookies Modified cookies fields containing SQLIA • Injection through server variables Hackers are manipulated to contain SQLIA • Second order injection • Frequency-based primary application • Frequency based Secondary Application • Secondary Support Application • Cascaded Submission Application 3 Input Type of attacks technical aspects Classic SQLIA • Piggy-Backed Quires • Tautologies • Alternate Encodings • Illegal/ Logically Incorrect queries • Unions SQLIA • Stored Procedure SQLIA

14. HASHMI SAFWAN Inference • Classic Blind SQLIA Condition Reponses Conditional Errors Out of Band channeling • Timing SQLIA Double blind SQLIA (Time delays/Benchmark attacks). Deep Blind SQLIA (Multiple statements of SQLIA) DBMS specific SQLIA • DB Fingerprinting • DB Mapping Compound SQLIA • Fast-Fluxing SQLIA Table 2.1 Classification of SQLIA

15. HASHMI SAFWAN 3. PREVENTING SQL INJECTION ATTACKS (SQLIA) 3.1 Novel Model for Preventing SQLIA Gaurav Srivastava and Kshitij Pathak Presented an architecture for preventing SQL Injection Attack. Fig 3.1 Web Architecture (a) [6] 3.2 Propose Architecture (b) [6] This model proposes double authentication process on both relational and hierarchical databases by applying tokenization approach on both databases. This task is performed via three steps. Step 1: Query Forward. Step 2: Tokenization process on query. Step 3: Comparison of array index. Figure 3.2 shows the proposed architecture of SQLIA prevention through double authentication via tokenization by using above three essential steps. Step 1: Query Forwarding- When a query comes from a user via user interface, the input query is forwarded to both databases, one which is created by relational approach and other based on hierarchical approach. Step 2: Tokenization Process on Query- the input query is divided into various tokens on the basis of space, single quotes and double dashes between them. Once the tokens are decided, they are stored in array. Tokenization process is applied on both databases.

16. HASHMI SAFWAN Step 3: Comparison of Array Index- In this step, the array length of both the arrays are compared. If the length of L1 and L2 are same, there is no injection present in the query and the query is proceeding further to main database for retrieving result. But if the lengths L1andL2are different, then injection exists and query is not forwarded to the database. The result is a NULL value. 3.2 Pattern Matching Algorithm This proposed scheme has following two modules [7], 1) Static Phase Step 1: User generated SQL Query is send to the proposed Static Pattern Matching Algorithm Step 2: The Static Pattern Matching Algorithm. Step 3: The Anomaly patterns are maintained in Static Pattern List, during the pattern matching process each pattern is compared with the stored Anomaly Pattern in the list Step 4: If the pattern is exactly match with one of the stored pattern in the Anomaly Pattern List then the SQL Query is affected with SQL Injection Attack 2) Dynamic phase Step 1: Anomaly score value us calculated for the user generated SQL Query, if this value is more than threshold value, then Alarm is given and query will pass to the administrator. Step 2: If the Admin receive any alarm then query is manually analyzed. If this query is infected by SQLIA then a pattern is generated and will be added to static pattern list. Fig 3.3 Pattern Matching Algorithm for Preventing SQLIA [7]

17. HASHMI SAFWAN 3.3 SQLrand Architecture ➢ Apply Instruction-set randomization to SQL ➢ Creating instances of the language that are unpredictable to the attacker ➢ Queries injected by the attacker will be caught by the database parser. ➢ An intermediary proxy that translates the random SQL to its standard language. ➢ Mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems. Fig. 3.4 SQLrand Architecture [8] Mechanism provides a tool reads an SQL statement(s) and rewrites all keywords with the random key appended. select gender, avg(age) from cs101.students where dept = %d group by gender The utility will identify the six keywords in the example query and append the key to each one (e.g., when the key is “123”): select123 gender, avg123 (age) from123 cs101.students where123 dept = %d group123 by123 gender Built proxy server that sits between the client (web server) and SQL server, de- randomizes requests received from the client, and conveys the query to the server. If an SQL injection attack has occurred, the proxy’s parser will fail to recognize the randomized implementation focused on CGI scripts as the query generators, a similar approach applies when using JDBC query and will reject it.

18. HASHMI SAFWAN 3.4 Comparative Analysis of All Existing Models Model Advantages Disadvantages Sania 1) It can detect SQL vulnerabilities during the development and debugging phase of a web application. 2) It identifies vulnerable spots by analysing SQL queries. 1) It requires knowledge of database in lack of knowledge attack cannot be handled. SBSQLID 1) The main advantage of this approach is, error massage generated does not contain any Metadata. (Information about the database which could help the attacker) 1) Web service is not integrated with the web application. Any modification that should be done to the system should be done in such a way that it should be supported by the web service. RDUD 1) It uses supervised learning approach using SVM to learn and to classify a query at run time. 2) It is based on classification task. 1) Special care is taken for maintaining the integrity of the web profile files to avoid poisoning of web profiles. 2) Not applicable for by pass Authentication Trans SQL 1) It is a server side application. So, it does not change the legacy web application. 2) Query is checked twice before retrieving information. 1) This model is unable to prevent against set operations, instances, alias directly. Query Tokenization 1) It converts query into tokens which contains between space, single quotes and double dashes. 2) Applied for all types of SQLIA. 1) The original query of input query which contain injection, must be stored. Table 3.1 Comparative Analysis of All Existing Models [9]

19. HASHMI SAFWAN 4. Top Most 5 Victim of SQL Injection Attacks 4.1 TalkTalk Cyber-attack [10] A cyber-attack exploits vulnerabilities in three webpages which are operated by TalkTalk. The exploitation of this vulnerability allows access to an underlying database holding customers’ personal data including names, addresses, dates of birth, phone numbers, email addresses and financial information. The attack type - SQL injection - was identified shortly after midday on 21 October, and around an hour later TalkTalk removed its websites and replaced them with a holding page. TalkTalk says 156,959 customers' personal details accessed, 15,656 bank account numbers & sort codes stolen The investigation found there had been two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 but TalkTalk did not take any action due to a lack of monitoring of the webpages. The ICO decides to issues its biggest ever fine – £400,000 – to TalkTalk, Firm settles ICO fine for £320,000 - Saves £80,000 by coughing up early. 4.2 Russian Hackers Amass Over a Billion Internet Password[11] A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say. So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database. 4.3 Human Rights Foundation Website Hacked, Thousands of Accounts Exposed [12] The Hungarian Human Rights Foundation website was hacked by Kapustkiy and CyberZeist, who managed to get access to over 20,000 accounts and personal information, including phone numbers and home addresses.

20. HASHMI SAFWAN Security pentester Kapustkiy told us that the data breach was possible with a SQL injection, which provided him with access to databases that included thousands of accounts, including some that are related to the US government (using the @state.gov suffix). 4.4 Hackers exploit vBulletin flaw to access 27M accounts on 11 websites [13] Attackers used a flaw in the internet forum software vBulletin to breach 11 websites, exposing the personal information of 27 million accounts, according to the breached data monitoring service Leaked Source. The breached websites used outdated versions of the vBulletin software that contained SQL Injection flaws in the Forum Runner add-on Several other domains were also breached, including expertlaw.com, ageofconan.com, anarchy-online.com, freeadvice.com, gamesforum.com, longestjourney.com, ppcgeeks.com, and thesecretworld.com.

21. HASHMI SAFWAN 5. SQL INJECTION CONCLUSION SQL injection is technique for exploiting applications that use relational databases as their back end. Applications compose SQL statements and send to database. SQL injection use the fact that many of these applications concatenate the fixed part of SQL statement with user- supplied data that forms WHERE predicates or additional sub-queries. ➢ The technique is based on malformed user-supplied data ➢ Transform the innocent SQL calls to a malicious call ➢ Cause unauthorized access, deletion of data, or theft of information ➢ All databases can be a target of SQL injection and all are vulnerable to this technique. ➢ The vulnerability is in the application layer outside of the database, and the moment that the application has a connection into the database.

22. HASHMI SAFWAN 6. REFERENCES 1. Microsoft. "SQL Injection". Retrieved 2016-12-25. SQL injection is an attack. 2. "Media Type registration for application/sql". Internet Assigned Numbers Authority. 10 April 2013. 3. "The application/sql Media Type, RFC 6922". Internet Engineering Task Force. April 2013. p. 3. 4. Adi Kaploun, Eliran Goshedn ,”Check point threat interlligence and research team” , posted 2015/05/07 . Retrieved, 2016/12/25 5. E 6. Gaurav Srivastava “SQL Injection Attacks: Technique and Prevention Mechanism” International Journal of Computer Applications (0975 – 8887) Volume 69– No.7, May 2013 7. Swapnit Kharche ,” preventing sql injection attack using pattern matching algorithm” 2015. 8. Stephen W, Boyd “SQLrand: Prenventing SQL Injection Attacks” Department of Computer Science Columbia Universty { fswb48,angelosg}@cs.columbia.edu 9. Gaurav Srivastava “SQL Injection Attacks: Technique and Prevention Mechanism” International Journal of Computer Applications (0975 – 8887) Volume 69– No.7, May 2013 10. Andres Andreu, Professional Pen Testing for Web Applications, Wrox, 2006. 11. “TalkTalk Cyber Attak” 2015 Access Date 26 Dec 2016 https://ico.org.uk/about-the-ico/news-and-events/talktalk-cyber-attack-how-the-ico- investigation-unfolded/ 12. “Russian Hackers Amass Over a billion internet Password” Access Date 26 Dec 2016 http://www.business2community.com/tech-gadgets/russian-hackers-means-website- 0979723#!bLWV8O#sKDlGwuCIcLY2dVc.97 13. “vBulletin Flaw to access 27 M accounts” Access Date 26 Dec 2016 http://news.softpedia.com/news/human-rights-foundation-website-hacked-thousands-of- accounts-exposed-510384.shtml 14. Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. 15. Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql-injection.html, 2005.

Sql injection

Sql injection

Sql injection

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados(20)

Similar a Sql injection

Similar a Sql injection(20)

Mais de Safwan Hashmi

Mais de Safwan Hashmi(16)

Último

Último(20)

Sql injection