Op2423922398

Urvashi Sanadhya / International Journal of Engineering Research and Applications (IJERA)
ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-august 2012, pp.2392-2398

Avoid SQL Injection Attacks
Urvashi Sanadhya
Department of Computer Science,
Mewar University, Chittorgarh
Tel: 07589397539

Abstract
An SQL injection attack targets web and feasible solution for this problem in the
applications that are database-driven. The computer security community.
methods using for SQL injections are easy to
learn and can cause major or significant damage 2. Survey of SQL injection
to the system. To address this problem, we SQL injection is a vulnerability that allows
present the different types of SQL injection an attacker to alter backend SQL statements by
attacks known to date and will look at a selection manipulating the user input. An SQL injection occurs
of the methods available to a SQL injection when web application accepts user input that is
attacker and how they are best defend against directly placed into SQL statements and does not
them. For each type of attack, we provide property filter out dangerous characters.
descriptions and examples of how attacks of that (more) Advanced SQL Injection by Chris
type could be performed. We also present and Anley [chris@ngssoftware.com] in 18/06/2002
analyze existing detection and prevention suggested that the best defence against SQL injection
techniques against SQL injection attacks. is to apply comprehensive input validation, use a
parameterised API, and never to compose query
Keywords-SQL injection, SQL injection attacks, strings on an ad-hoc basis. In addition, a strong SQL
Authentication attacks Server lockdown is essential, incorporating strong
passwords.
1. Introduction SQL Injection Signature Evasion
SQL Injection Attacks are one of the Whitepaper (Imperva) concludes that reliance upon
topmost threats for web application security,and signature protections alone is not a practical defence
SQL injections are one of the most serious against SQL injections attacks. A reasonably sized
vulnerability types. The SQL Injection attacks are signature database does not provide reliable
easy to learn and exploitable, so this method of protection while a comprehensive signature database
attack is easily used by attackers and hackers. Also results in excessive management overhead, dramatic
many major and traditional security systems having performance limitations, and false positives.
different security layers like firewall, encryption, Lateral SQL Injection Revisited by David
intrusion detection systems, Antivirus and anti Litchfield suggest that an attacker needs the
malware are not able to detect this type of attack. CREATE PUBLIC SYNONYM system privilege as
Also database mechanism for authentication and a prerequisite to effect this attack, which helps to
authorization can be bypassed by tricky methods mitigate the risk. One should not place faith solely in
and using set of rules of that type of database. this prerequisite to afford protection, as methods may
be found that bypass the need for this privilege in the
SQL Injection is something related to web- future. Instead, it is best practice to use variable
hacking, but using some SQL knowledge and legal binding in order to completely mitigate the risk this
SQL commands to make it vulnerable. Its take the technique poses.
advantage of the fact over which a poorly secured Lateral SQL Injection A new Class of
web-application is developed. Also its takes the Vulnerability in Oracle conclude that those functions
advantage of how data engines process the and procedures that don‘t take user input can be
query/insecure code in database. Many SQL takes exploited if SYSDATE is used. The lesson here is
the advantage of errors/error message generated by always, always validate and don‘t let this type of
systemon some query responses. SQL Injection vulnerability get into your code. The second lesson is
attacks that no longer should DATE or NUMBER data types
employed by malicious users for different reasons, e. be considered as safe and not useful as injection
g. financial fraud, theft confidential data, deface vectors.
website, sabotage, espionage, cyber terrorism, or Analysis of SQL injection prevention using
simply for fun. Furthermore, SQL Injection attack a filtering proxy server by David Rowe conclude
techniques have become more common, more that
ambitious, easy to learn/implement, and increasingly  Independent of flaws in application coding and
sophisticated, so there is a need to find an effective database privileges

2392 | P a g e


 Can operate on a separate server with real time vulnerable SQL statement. This type of attack is
analysis only possible when multiple SQL statements per
 Another layer of protection database request are supported.
3. Function Call Injection: Function call injection is
Secure Query Processing By Blocking SQL process of inserting various database function
injection by Dibyendu Aich descreibed that SQL calls into a vulnerable SQL statement. These
injection is a common technique hackers employ to function calls could be making operating system
attack these web-based applications. These attacks calls or manipulate data in the database.
reshape the SQL queries, thus altering the behavior 4. Buffer Overflows: Buffer overflow is caused by
of the program for the benefit of the hacker. Show a using function call injection. For most of the
technique for detecting and preventing SQL Injection commercial and open source databases, patches
Attacks incidents. The technique abstracts the are available. This type of attack is possible when
intended SQL query behaviour in an application in the server is un-patched.
the form of an ordered sequence of tokens, as a one- Mostly web-application developing technologies
time offline procedure using static analysis of the are susceptible to this attack:
application code. This database is then validated They are JSP, XML, XSL, ASP, JavaScript etc.
against the entire different incoming SQL query at which can access database.
runtime to capture all malicious SQL queries, before
they are sent to the database server for execution. To Detection of SQL Injection vulnerability
minimize searching time and response time it uses Detection of SQL injection vulnerability in
the modern processor architecture by perform the a system is very tough task, as SQL Injection is
searching in a multi threaded way as well as it nothing but simple logical game of valid SQLs. So
predict the possible correct list for an incoming query this can be doing by enter each and every possible
by introducing hit count calculation. way the attacker can input the query.
To detect SQL Injection we must have to
Using a Web Server Test Bed to Analyze know about how SQL Injection is possible in an
the Limitations of Web Application Vulnerability application and what different types of SQL Injection
Scanners by David A. Shelly suggested a method to attacks are.
analyze the flaws and limitations of several of the Mainly it can categorize in two stages:
most popular commercial and free/open-source web There are two main types of attacks. First-order
application scanners by using a secure and insecure attacks are when the attacker receives the desired
version of a custom-built web application. Using this result immediately, either by direct response from the
described method, key improvements that should be application they are interacting with or some other
made to web application scanner techniques to response mechanism, such as email. Second-order
reduce the number of false-positive and false- attacks are when the attacker injects some data that
negative results are proposed. will reside in the database, but the payload will not
be immediately activated.
Techniques and Tools for Engineering Furthermore the classification is also based on
Secure Web Applications By Gary Michael this commonly two types of attacks:
dissertation describes the first formal, realistic
characterization of SQL injection and the analyses 1. Login authentication attack:
can detect and block real attacks and uncover Many web-sites or web-application which deals with
unknown vulnerabilities in real world code. transaction/view of user related data must have login
panel or login page. They must have mainly two field
3. Related Work and Observations of SQL :UserName or UserID and :password and an
Injection Attack login/sign in button to login into database. There is
There are four main categories of SQL also an ‗forget password link‘ which sends password
Injection attacks against databases: to the user who make a request by clicking and input
1. SQL Manipulation: manipulation is process of desired fields.
modifying the SQL statements by using various For our example of SQL injection, we will use a
operations such as UNION. Another way for hypothetical form which many people have probably
implementing SQL Injection using SQL dealt with before: the ―email me my password‖ form,
Manipulation method is by changing the where which many websites have in case one of their users
clause of the SQL statement to get different forgets their password.
results.
2. Code Injection: Code injection is process of
inserting new SQL statements or database
commands into the vulnerable SQL statement.
One of the code injection attacks is to append a
SQL Server EXECUTE command to the

2393 | P a g e


Let he guess a field name as ‗email‘ and try in the
query and find out if the SQL is valid or not.
SELECT <column> FROM <table> WHERE field
=‘x‘ and email is null; --
He don't care about matching the email
address (which is why use a dummy 'x'), and the --
marks the start of an SQL comment. This is an
effective way to "consume" the final quote provided
Figure 1- Login by application and not worry about matching them.
authentication attack It gives response. If it is a server error, that‘s means
The way a typical ―email me my password‖ SQl is invalid and syntax error can be thrown. So
form/link works is this: it takes the email address as there must be wrong field name guess, try it for other
an input from the user, and then the application does as ‗email_address‘, ‗emailID‘ etc.
a search in the database for that email address. If the If the response is valid, it makes surety that
application does not find anything in the database for the guessing field is a valid one.
that particular email address, then it simply does not Here ‗AND‘ is use in query to ensure that
send out an email with a new password to anyone. on valid response there should not be generated
However, if the application does successfully find response like ‗here is your password‘ and emails
that email address in its database, then it will send from the application to the random user. So to avoid
out an email to that email address with a new this suspicious activity ‗and‘ is used in query which
password, or whatever information is required to will always sure that mail is never generated to any
reset the password. user while getting a valid response.
(Here below the dark background and with red font is Similarly other fields/columns are also detected
always user input.) through hit and trial method. Say email, password,
e_id, name.
i) First test we do here is to check what error it give
on inserting a single quote. iv) Finding the table name:
The query become SELECT <column> FROM Table name can be retrieve through several
<table> WHERE <emailfield>=‘ <desiredEmail >‘. approaches. To accomplish this a ‗hit and trial‘
method is use with using SQL functionality of
ii) Here an attacker does not know the mail-ID so he accessing the fields.
made his mind to manipulate the query which can For example, here ‗email‘ is known field and
give some result. He use tautology query, in which guessed table is ‗emp_master‘. So the executable
the where condition is always true. i.e. query be like :
SELECT <column> FROM <table> WHERE SELECT <column> FROM <table> WHERE field
<emailfield>=‘abc‘ and ‗1‘=‘1‘; =‘x‘andemp_master.email is null; --
But unlike the actual query which should return only If the response of this query is valid or returned as
a single value, this query will return every values of ‗Unknown email‘ then SQL was well formed and
the column since query‘s where condition is always table name is properly guessed.
true. But the actual record taken for operational
purpose is the first record returned by the query, or a v) Finding some users
value taken at random. Till now table name, column name is
guessed. For getting clues about some user, the first
Always there are mostly three responses for various place to start, of course, is the company's website to
input : find who is who: the "About us" or "Contact" pages
 ‗Your password has been send to often list who's running the place. Many of these
<desiredEmail>‘. contain email addresses. So the ‗LIKE‘ keyword of
 ‗The entered Email is incorrect‘. SQL helps most to get username. The targeted SQL
 Some server error. is build some as :
SELECT <column> FROM <table> WHERE field
The first and second responses are sure =‘x‘ORname like ‗%ram%‘; --
about that there is a valid SQL run. Or there is no So gradually by refining name a good guess of user
error in the query passed, while the third one is a bad name can be achieve.
SQL since it will return a server/SQL error.
2. URL query based attack:
iii) Guessing column name: a) Finding vulnerable/target web-site:
Here in the mind of attacker is sure that The vulnerable website have URL ending
there must be email-ID and password in query along with queried field like ‗id=‘ or ‗fieldno=‘ etc. We
with other user login information. take an example: www.garo.cc

2394 | P a g e


b) Checking the Vulnerability: column field.
In order to check the vulnerability, add the For eg.
single quotes(') at the end of the url and hit enter. (No http://www.garo.cc/text.php?pageid=1 union select
space between the number and single quotes). 1,2,3,4,5 --
For eg. http://www.garo.cc/text.php?pageid=16‘ here from previous method we have found that there
If the page remains in same page or showing that are 5 numbers of columns used, so we take column
page not found or showing some other webpage, then sequence upto 5 with the union in the URL.
it is not vulnerable. The ‗--‘ sign denote the comment part from which
BUT if it showing any errors which is related to SQL the database engine can not read further coded query.
query, then it is vulnerable. On carefully observing the front face of the web-
page, we can find one or more numbers as a column
sequence which are given and executed by us
through union query. Say for example we get number
3 on the web-page, then we concluded that the
column number 3rd of the used table is the one
which is used for displaying data of that table. So
that column is vulnerable. An attacker can get many
more information from the help of that column.

e) Finding version, database, user:
Let say if in step ‗b‘ the error appeared is
related to SQL query and have mention the error
message with database as MySQL, then according to
MySQL : database(), version()/@@version, user()
can be used for getting database, its version and
currently login user name.
Figure 2-URL query based attack For example:
http://www.garo.cc/text.php?pageid=1 and union
c) Finding numbers of columns: select 1,2,database(),4,5 –
With the help of simple and basic will give the database name on the front face of that
commands of SQL we can exploit furthermore. web-page where ‗3‘ number is displayed.
Put ‗order by n‘ at the end of the URL string. Where Similarly for getting version we have to write URL
‗n‘ is the number from 1,2,3,4,5, ... and so on. as :
Change the numbers until we get the error like http://www.garo.cc/text.php?pageid=1 and union
‗Unknown column‘. The number on which you get select 1,2,database(),4,5 --
the error, you make sure the number of column in the and for user information:
table which is used in that query is previous one http://www.garo.cc/text.php?pageid=1 and union
which give no error. select 1,2,user(),4,5 –
For eg: http://www.garo.cc/text.php?pageid=1 order
by 1 -- (no error) f) Finding the table name:
http://www.garo.cc/text.php?pageid=1 order by 2 This is the very dangerous situation when
-- (no error) for simply using MySQL‘s SQL commands, we can
http://www.garo.cc/text.php?pageid=1 order by 3 get the tables used in that schema which is using in
-- (no error) the web-site.
http://www.garo.cc/text.php?pageid=1 order by 4 For example:
-- (no error) http://www.garo.cc/text.php?pageid=1 and union
http://www.garo.cc/text.php?pageid=1 order by 5 select 1,2,group_concat(table_name),4,5 from
-- (no error) information_schema.tables where table_schema =
http://www.garo.cc/text.php?pageid=1 order by 6 database() --
-- (unknow error) Say output of query is admin,garo_news,
The error may occur when we put ‗order by 6‘, then garo_categories, etc.
we must say that there are 5 columns in that table. Here attacker may take interest in ‗admin‘ table.

d) Displaying the displayable/vulnerable Here an attacker has used various MySQL feature as
columns: group_concat(table_name), it will concat all the
For finding columns which is used to tables name in a string,
display its values on web-page, we have to use information_schema.tables, it has stored all
‗union select <column 1> ... ‗ information of tables which is used for the particular
The column which is displayable on the web-page is schema.
automatically displays its sequence number in its

2395 | P a g e


table_schema=database(), it is a where clause which also restricted to 15 characters only.
takes only currently held schema. Definitely these restrictions may not allow any
attacker to put long injected SQL in LOGIN fields.
g) Finding the column name:
Here also an attacker can take full use of d. Data-type conversion must be explicit:
SQL commands of MySQL. In order to get column Always if required the datatype conversion must be
name it gives URL as : of explicitly done before query execution.
http://www.garo.cc/text.php?pageid=1 and union For example: If the username is of numeric type in
select group_concat(column_name) from database. But requirement of field( username) on the
information_schema.columns WHERE LOGIN form is of string type. Then just before query
table_name=<The table name which we get from execution the username is explicitly converted into
previous step> — numeric type then pass into query variables for
Here also the output of the above URL execution further execution.
would give all the column name in that particular This method just filters out any unwanted injected
table.From here the attacker may peek into the data SQL.
of that table, If he take ‗admin‘ table then probably
he can get login information(username,passwordetc). e. Exception handling: The major flaws in
developing the code is that it should not properly
4. Prevention of SQL Injection handled for all type of errors. Each and every code
From the previous section, we have seen must be properly handled for any type of exception
that there are various methods and types that are occurs.
used by attacker to get modified SQL query Major SQL Injection Attackers rely on errors occurs.
executed. They put some new idea and put it as a They are always waiting for responses occur when
valid SQL they use full valid functionality of SQL any SQL or related query is injected. With the help
database used and flaws of developers. of responses and errors they obtain much important
The prevention methods for the above type of attack information as we have seen in previous chapters.
are discussed as follows.
Prevention for Login Authentication attack and URL f. Avoid ‘LIKE’ in query structure:
based attack: Developer should avoid using ‗LIKE‘ in SQL code.
As it gives attacker an ease to guess values and data.
a. Reject BAD Input: For Eg: SELECT <column_name> FROM
First thing is to sanitize the input before it emp_master WHERE name like '%ADMIN%'. The
goes into the application for further query execution. attacker attempts to manipulate the SQL statement to
If the input is check before entering in application, execute as – SELECT <column_name> FROM
then the major part of prevention is done. So in emp_master WHERE name like '%'.
general, the BAD input must be restricted. Above query will substitute the input string ADMIN
to the query and will search for all the records that
b. Input Datatype: have input string anywhere in the name values. If the
In the further series of sanitize input data, we attacker injects the string then he can get all the
have to check for the datatype of user ID – input sensitivedata.
variable. Many web-application/database dependent
application requires user_ID as a numeric field. Then g. System monitoring: A full time DBA can
at those application must implement the user_ID monitor the suspicious query execution and
field to be always inputted as numeric values by transaction in the system. He might be monitoring or
setting the datatype as number type. It should restrict auditing sp_tracexxx files time to time.
the input for the characters other than numbers only.
For eg. SELECT <columns> from emp_master h. Only necessary grant and access are
where userid=:user_id; Here :user_id is a numeric made for application account in database: If the
type variable which always allows only numeric type application running with database administrator‘s
input data. account then it has potential for an attacker to
So no one can write or inject SQL code in those perform crucial commands with database. He can
fields. then able to inject many operating system level
commands to explore hard disk of server.
c. Input length Similarly if possible where ever only SELECT rights
It is wiser to set the input length of input are granted would be only granted. This will greatly
field/variable‘s length. It always restrict the input helpful to restrict injected transaction or other SQL
parameters/variables to of fixed length and restrict in system.
the attacker too for injecting unusual SQL.
For eg. User_ID can be put to maximum 20 i. Update Server by applying time-to-time
characters. Also the Password field‘s length must patches: It will avoid buffer overflow. Many

2396 | P a g e


attackers if access systems call then using system b. Escaping all encoding in query execution:
calls they make buffer overflow condition. These can If SQL keywords are escaped before query
be avoided by applying patches and keep server application, then the attackers put the encoding
update. method for injecting SQL in legitimate query. Since
simple keywords can be caught then the attackers
j. Using Parameterised Queries: Many other make their ascii code and put the encoding along
people may suggest it to prevent SQL Injection with as injected SQL.
attack while LOGIN. In this type, the query is passed
in prepared statements where it is executed using Also for an example:
procedure call. This is standard procedure call which ‗; INSERT
is much trusted. INTOemp_masterVALUES(101,char(0x68)+char(0x
61)+char(0x82)+char(0x64)+char(0x70)); --can
5. Algorithm of Proposed Solution insert an attacker‘s oriented user.
a. Escaping keywords, quotes and So if char,hex,ascii etc encoding are
comments: In most of the SQL injection attacks, detected in input and then the good input is allow to
attacker uses the SQL keywords, quotes and pass in query for execution, then the effort of
comments in the SQL query and makes the final attacker got waste. For this an algorithm is developed
query as infected. The SQL keywords, quotes and and coded in a procedure. In which different
comments are legal and are unsuspected, so the encodings are detected and prevent the infected data
attacker make use of them. for further execution in query.
So before query execution the input variables must The procedure which can detect different encoding is
be sanitize by an procedure which can detect SQL as follows:
keywords, quotes and comments.
For eg:username field is given as ‘ ; DROP TABLE procedureis_encoded_field(v_input_fieldvarchar)
emp_master; -- begin
declare
The legitimate query becomes: v_checkvarchar;
SELECT <column_name> FROM emp_master begin
WHERE name=‘‘ ;DROP TABLEemp_master; -- ‗ if (v_input_field in
and password=‘‘; (‗CHAR‘,‘ASCII‘,‘HEX‘,‘NUMBER‘,‘(‘,‘)‘)) then
The above query is too much dangerous, since it can v_check=‘TRUE‘;
delete the LOGIN table as well as user_information else
table. So before this variable is set into the query for v_check=‘FALSE‘;
further execution. An algorithm of a procedure which end if;
can detect SQL keywords, comments, is developed if v_check=‘TRUE‘ then
as follows: message(‗Retry entries.‘);
(terminate the process/action and clear the login form
procedureis_validate_field(v_input_fieldvarchar) and go to first field.);
begin endif;
declare end;
v_checkvarchar; end procedure is_encoded_field;
begin
if (v_input_field in c. Applying Encrypted data technique:
(‗SELECT‘,‘INSERT‘,‘DELETE‘,‘UPDATE‘,‘MER For LOGIN form, there are two fields: 1. Username
GE‘,‘SHUTDOWN‘,‘DROP‘,‘ALTER‘,‘CREATE‘,‘ 2. Password.
WHERE‘,‘AND‘,‘OR‘,‘EXEC‘,‘ORDER But for LOGIN/sign in one should be a registered
BY‘,‘UNION‘,‘GROUP BY‘,‘HAVINH‘,‘/‘,‘--‘)) member. Here in the technique when user register
then himself then server receives request from user and
v_check=‘TRUE‘; register as a new user. This is maintain in a user
else information table. For eg.we take that table as
v_check=‘FALSE‘; ‗emp_master‘. The table contains three fields, 1.
end if; Username 2.Password 3.Encrypted key.
if v_check=‘TRUE‘ then Here the ‗Encrypted key‘ is generated by system and
message(‗Retry entries.‘); must be unique for all registered users.
(terminate the process/action and clear the login form This ‗Encrypted key‘ is generated and saved in table
and go to first field.); at the time of user registration and use the ‗username
endif; and password‘ field in its forming, its formation is
end; initiated through calling a function:
end procedure is_validate_field; For example: At the time of user registration, the
following insert query is execute for inserting new

2397 | P a g e


user. different techniqueswhen they are subjected to real
INSERT INTO world attacks andvalidinputs.
emp_masterVALUES(‘RAM‘,‘ram_password‘,functi
on_en_key(‗RAM‘,‘ram_password‘)); REFERENCES
Here ‗function_en_key‘ is a function which [1] Advanced SQL Injection in SQL Server
generates ‗Encrypted key‘. The function‘s algorithm Applications
is as follows: [2] SQL Injection Attack and Defense
char function_en_key(:username, :password) PacketSource Security White Papers
begin declarev_enc_keyvarchar; begin v_enc_key [3] Useful stuff_ SQL-Injection Attacks on the
:= any_encryption_technique(:username||:password); example
RETURN(v_enc_key); [4] SQL Injection Cheat Sheet
end; [5] An Authentication Mechanism to prevent
end function_en_key; SQL Injection Attacks
[6] Lateral SQL Injection Revisited Final (1)
At the time of user login or sign in, username and [7] SQL Injection Signature Evasion
password should be matched with the username and Whitepaper
password in table stored in server, along with the [8] Data-Mining with SQL Injection and
‗Encrypted key‘ which is also resides in the table. Inference
If comparison is successful then the user is allow to [9] Steve Fried‘s Unixwiz.net Tech Tips
Login into the application otherwise make him retry. [10] Prevent SQL Injection in Asp.net
The comparison procedure is as follows: [11] Prevent SQL Injection in Asp.net
-- :username and :password are user supplied fields. [12] Robert J. Hansen MeredithL.Patterson
procedureis_encoded_field(:username, :password) [13] SQL injection Attacks and Defense
begin declare v_checkvarchar; begin [14] An Authentication Mechanism against
SELECT ‗x‘ INTO v_check SQL Injection
FROM emp_master
WHERE
encrypted_key=function_en_key(:username,
:password) and name=:username and
password=:password;
(exception handling)
if (v_check = ‗x‘) then
message(‗Successful
login‘);
else
message(‗Try again.‘);
(terminate the process/action and clear the login form
and go to first field.);
end if;
end;
end procedure is_encoded_field;

6. Conclusion and Future work
In this paper, we have described a brief
study of SQL injection as well as a solutionfor
preventing SQLInjection Attacks. To perform this
assessment firstly identified the detection of SQL
Injection vulnerability. SQLInjection Attacks can be
introduced into anapplication and identified which
method was able to hold which mechanism. Lot of
the techniques have trouble handling attacks that
acquire advantage of poorlycodedstored procedures
and SQL queries cannot handleattacks. This variation
could be clarified by the detailthat focused on
Prevention of sql injection.
Future work should focus on optimized and
evaluating thetechniques correctness and usefulness
in practice. Practicalestimation will be performing
which permitcomparing the performance of the

2398 | P a g e

Op2423922398

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Destaque

Destaque (7)

Semelhante a Op2423922398

Semelhante a Op2423922398 (20)

Último

Último (20)

Op2423922398