PROTECT YOUR WEBSITE FROM SQL INJECTION ATTACKS
What makes the threat of SQL injection attacks so dangerous is the ease in which they can be launched and how many are vulnerable to them.
Attackers often use large botnets to systematically seek out vulnerable to attack with little work being done on their part. Pair this with the fact that the number of sites vulnerable to this type of attack grows each year and it is clear to see why it remains at the top of the most critical vulnerabilities.
RISKS ASSOCIATED WITH SQL INJECTION
Even with the ease that an automated SQL injection attack can be carried if the attackers stood to gain nothing this threat would soon disappear. Unfortunately, those who successfully compromise vulnerable can find that this vulnerability can be quite profitable as they give the attacker access to the database so information can be sold or data can be deleted. More advanced techniques can also be used to give the attacker unrestricted access to the system through a backdoor. SQL injection can also be used in tandem with other exploits, such as cross-site scripting, to manipulate how data is displayed to a web sites visitors.
Not preventing SQL Injection attacks leaves your business at great risk of:
Changes to or deletion of highly sensitive business information.
Steal customer information such as social security numbers, addresses, and credit card numbers.
Theft of intellectual property
Legal liability and fines
How does an attacker compromise your SQL server?
Before a can be compromised, an attacker needs to find applications that are vulnerable to SQL injection using queries to learn the SQL application methods and its response mechanisms.
The attacker has two ways to identify SQL injection vulnerabilities:
1. Error messages: the attacker constructs the correct SQL syntax based on errors messages propagated from the SQL server via the front-end web application. Using the errors received, the hacker learns the internal SQL database structure and how to attack by injecting SQL queries via the Web application parameters.
2. Blindfolded Injection: this technique is utilized by hackers in situations where no error messages or response content is returned from the database. In these cases, the attacker lacks the ability to learn the backend SQL queries in order to balance the SQL injection query. In the lack of database content output within the Web application, the attacker is also challenged with finding a new way of retrieving the data.
Identifying the database
When the attacker knows how each database is reacting he or she can identify the database type and the server that is running it.
There are several techniques the attacker uses to identify database objects in statement.
Using a concatenation string:
1. select f1+f2
2. Using a semicolon or cash sign ($)
Compromising the SQL server
Once the attacker has all information he can build the exploit code.
Some techniques used to execute SQL Injection attacks are:
Terminating queries using quotes, double-quotes, SQL comments
Using stored procedures
Database manipulation commands such as TRUNCATE, DROP
Using CASE WHEN, EXEC to run nested queries
Utilizing SQL injection to create Buffer Overflow attacks within the database server
Delivering SQL queries via XML and Services
Blindfolded SQL Injection techniques:
- Blindfolded injection techniques using Boolean queries and WAITFOR DELAY
- Comparison queries using commands such as BETWEEN, LIKE, ISNULL
- Using CONVERT & CAST commands to mask the attack payload Using Null bytes to break the signature pattern
- Using HEX encoding mixtures
- Using SQL CHAR() to represent ASCII values as numbers
For example, the attacker decides to go with a basic attack using:
1 = 1-
What happens when this is entered into an input box is that the server recognizes 1 = 1 as a true statement. Since - is used for commenting, everything after that is ignored making it possible for the attacker to gain access to the database. You can see precisely how this attack works on our SQL injection example page.
The Need to Avoid SQL Injection Attacks
SQL injection techniques have been around for over 10 years now, but recent years have seen a dramatic increase in both number of attacks and the extent of damage caused by them. In fact, a sweep of attacks in the second quarter of 2008 alone resulted in over 500,000 exploited web pages that were compromised to deliver password-stealing malware to users' computers. In more recent studies, security firms report attempted attacks reaching totals of 450,000 per day.
The tragedy is that these threats can be mitigated, or even prevented, with the proper tools and knowledge.
The attacker identifies vulnerabilities and obtains database access SQL (Structured Query Language) provides an interface to facilitate access to and interaction with a database. A database usually stores data in tables and procedures.
SQL Injection is a security exploit method in which the attacker aims at penetrating a back-end database to manipulate, steal or modify information in the database. The SQL Injection attack method exploits the Web application by injecting malicious queries, causing the manipulation of data. Almost all SQL databases and programming languages are potentially vulnerable and over 60% of websites turn out to be vulnerable to SQL Injection.
The threat posed by SQL injection attacks are not solitary. Combined with other vulnerabilities like cross-site scripting, path traversal, denial of service attacks, and buffer overflows the need for owners and administrators to be vigilant is not only important but overwhelming.
PREVENTING SQL INJECTION ATTACKS
Stored procedure names
Comparison queries using commands such as BETWEEN, LIKE, ISNULL
Database manipulation commands such as TRUNCATE, DROP
Reserved words such as CASE WHEN, EXEC
Blindfolded injection techniques such as Boolean queries and WAITFOR DELAY
Database-unique attacks relating to Oracle, MySQL, MS-SQL
Signature evasion techniques such as using CONVERT & CAST
Buffer overflow attacks via SQL Injection
XML and Web-Services encapsulating SQL Injection techniques
Null byte signature evasion
HEX encoding mixtures for signature evasion
Using SQL CHAR() for signature evasion
Zero-day protection against MS-SQL stored procedure attacks such as MS08-040
ARTICLE SOURCE: This factual content has not been modified from the source. This content is syndicated news that can be used for your research, and we hope that it can help your productivity. This content is strictly for educational purposes and is not made for any kind of commercial purposes of this blog.