Sql injection
Download as PPTX, PDF1 like1,618 views
This document discusses SQL injection attacks and how to prevent them. It describes different types of SQL injection like blind SQL injection and union-based injection. It provides examples of vulnerable code and how attackers can exploit it. Finally, it recommends best practices for prevention, including using parameterized queries, stored procedures, input validation, and secure configuration.
Sql injection
- 2. SQL Injection › Blind SQL Injection Vulnerable Code Exploit › Classic Login Page Vulnerability › Error Based Injection(SQL Server) › Union Based Injection › Injection SQL Command › Running CMD Command › Blind Injection Attack
- 3. How to Prevent › Parameterized Query › Use of Stored Procedure › Escaping All User Supplied Input › Additional Defenses(Configuration) Latest Privilege Isolate the Web Server Turning off Error Reporting PHP Configuration
- 4. A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/ Update/ Delete), execute administration operations on the database (such as shutdown the DBMS).
- 5. SQL Injection recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. SQL injection is one of the oldest attacks against web applications.
- 6. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a useful error message they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.
- 7. SQL Injection happens when a developer accepts user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it. Attackers commonly insert single quotes into a URL's query string, or into a forms input field to test for SQL Injection. Every code that uses user inputs to generate SQL queries without sanitization is vulnerable to SQL injections.
- 9. SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, Java EE and ASP.NET applications are less likely to have easily exploited SQL injections. SQL injection bugs is very various so it is very difficult to identify the actual procedure of preventing SQL injection.
- 10. The attacker attempts to elicit exception conditions and anomalous behavior from the Web application by manipulating the identified inputs. › Special Characters › White Space › SQL Keywords › Oversized request
- 11. Any unexpected reaction from the Web application is noted and investigated by the attackers. › Scripting Error Message possibly with snippets of code › Server Errors Error 500/ Error 513 › Half Loader Page › Timed out Server Request
- 12. Attackers often try following inputs to determine if web application has sql injection bug or not. › ' › or 1=1 › or 1=1— › " or 1=1— › or 1=1--' › or 'a'='a › " or "a"="a › ') or ('a'='a
- 13. Here is a login SQL query- › var sql = "select * from users where username = '" + username + "' and password = '" + password + "'"; In a normal login when user inputs are followings: › Username: John › Password: 1234 The query string is: › select * from users where username = 'John' and password = '1234'
- 14. But if user manipulates input like the followings: › Username: John › Password: i_dont_know' or 'x'='x Then the query becomes: › select * from users where username = 'John' and password = 'i_dont_know' or 'x'='x‘ So 'where clause' is true for every row of table and user can login without knowing password!
- 15. If the user specifies the following: › Username: '; drop table users-- The 'users' table will be deleted, denying access to the application for all users. › The '--' character sequence is the 'single line comment' sequence in Transact-SQL. › The ';' character denotes the end of one query and the beginning of another. › The '--' at the end of the username field is required in order for this particular query to terminate without error.
- 16. The attacker could log on as any user, given that they know the users name, using the following input: › Username: admin‘-- The attacker could log in as the first user in the 'users' table, with the following input: › Username: ' or 1=1-- the attacker can log in as an entirely fictional user with the following input: › Username: ' union select 1, 'fictional_user', 'some_password', 1 --
- 17. This is the most common attack on Microsoft SQL Server. This kind of attack is based on 'error message' received from server. Error messages that are returned from the application, the attackers can determine the determine the entire structure of the database or can get any value that can be read only by a user of that application.
- 18. The UNION operator is used to combine the result-set of two or more SELECT statements. In this kind of injection attacker tries to inject a union operator to the query to change the result to read information. Union based attacks look like this: › Username: junk' union select 1,2,3,4,... -- Notice that each SELECT statement within the UNION must have the same number of columns.
- 19. Attacker can inject sql commands if the data base supports stacked queries. In most of data bases it is possible to executing more than one query in one transaction by using semicolon ( ;). Following example show how to create a table named foo which has a single column line by injecting stacked query: › Username: ' create table foo (line varchar(1000))--
- 20. This can only work on Microsoft SQL Server. Attacker can use stored procedures to do things like executing commands. xp_cmdshell is a built-in extended stored procedure that allows the execution of arbitrary command lines. For example: › Username: '; exec master..xp_cmdshell 'dir‘--
- 21. Some of MS-SQL Extended stored procedures are listed below: › xp_cmdshell - execute shell commands › xp_enumgroups - enumerate NT user groups › xp_logininfo - current login info › xp_grantlogin - grant login rights › xp_getnetname - returns WINS server name › xp_regdeletekey - registry manipulation › xp_msver - SQL server version info
- 22. An attacker may verify whether a sent request returned True or False in a few ways: › (in)visible content: Having a simple page, which displays article with given ID as the parameter, the attacker may perform a couple of simple tests if a page is vulnerable to SQL Injection attack. › Example URL: http://newspaper.com/items.php?id=2 › Sends the following query to the database: SELECT title, description, body FROM items WHERE ID = 2
- 23. › Timing Attack: A Timing Attack depends upon injecting the following MySQL query: SELECT IF(expression, true, false) › Using some time-taking operation e.g. BENCHMARK(), will delay server responses if the expression is True. BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')) › This will execute 5000000 times the ENCODE function.
- 24. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.
- 25. Language specific recommendations: › Java EE – use PreparedStatement() with bind variables › .NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables › PHP – use PDO with strongly typed parameterized queries (using bindParam()) › Hibernate - use createQuery() with bind variables (called named parameters in Hibernate)
- 27. Stored procedures have the same effect as the use of prepared statements when implemented safely. They require the developer to define the SQL code first, and then pass in the parameters after. The difference between prepared statements and stored procedures is that the SQL code for a stored procedure is defined and stored in the database itself, and then called from the application.
- 28. This is a technique to escape user input before putting it in a query. This is a very useful method because this can be applied with almost no effect on the structure of the code. This actually removes some special characters from the input data that are highly vulnerable to the DBMS such as- * , ` ( ) - -- ;
- 29. Least Privilege › Web applications should not use one connection for all transactions to the database. Because if a SQL Injection bug has been exploited, it can grant most access to the attacker. Isolate the Webserver › Design the network infrastructure to assume that attackers will have full administrator access to the machine, and then attempt to limit how that can be leveraged to compromise other things.
- 30. Turning off error reporting › The default error reporting for some frameworks includes developer debugging information, and this cannot be shown to outside users. PHP Configuration › PHP Configuration has a direct bearing on the severity of attacks. › many “security” options in PHP are set incorrectly by default and give a false sense of security.