The module for this lesson is still under development. Please contact us if you have any questions.
SQL Injections–Introduction
1. Read Background |
2. Execute Lab Assignment |
3. Complete Security Checklist |
4. Answer Discussion Questions |
top
Summary:
SQL injection is an attack technique that exploits a security vulnerability occurring in the database layer of an application . Hackers use injections to obtain unauthorized access to the underlying data, structure, and DBMS. It is one of the most common web application vulnerabilities.
Description:
A Database is the heart of many, if not all, web-applications and is used to store information needed by the application, such as, credit card information, customer demographics, customer orders, client preferences, etc. Consequently, databases have become attractive and very lucrative targets for hackers to hack into. SQL Injections happen when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly validate and filter out dangerous characters. This can allow an attacker to alter SQL statements passed to the database as parameters and enable her to not only steal data from your database, but also modify and delete it.
A database is vulnerable to SQL injections when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed. SQL injection attacks are also known as SQL insertion attacks.
Injection vulnerabilities, such as SQL, LDAP, HTTP header injection and OS command injection, have been ranked number one on the OWASP (Open Web Application Security Project) Top 10 Web application vulnerabilities 2010 and the top 25 Most Dangerous Software Errors 2011.
Risk: How can it happen ?
SQL injection attacks occur when a web application does not validate values received from a web form, cookie, input parameter, etc., before passing them to SQL queries that will be executed on a database server. This will allow an attacker to manipulate the input so that the data is interpreted as code rather than as data.
SQL injection attack risk is usually very high and the consequences are severe. A successful attack can bypass authentication and authorization to gain full control of the database, steal sensitive data, change users’ passwords, retrieve users’ credential information, add non-existent accounts, drop tables, make illegal financial transactions, and destroy the existing database, and a lot more. The following table summarizes SQL injection examples which result in different types of threats.
| Types of Threat | SQL Injection Examples |
| Spoofing |
|
| Tampering |
|
| Repudiation |
|
| Information disclosure |
|
| Denial of service |
|
| Elevation of privilege |
|
Example of occurrence:
In 2011, the hacker group LulzSec used Security Injection attacks to cause databases to spit out user names and passwords from Websites, including one associated with F.B.I.’s InfraGard program, SonyPictures and NATO’s online bookstore and deface the PBS site.
http://www.pcworld.com/article/231303/lulzsec_anonymous_hacks_were_avoidable_report_says.html
Examples:
A dynamic SQL statement is constructed during execution time. Consider the following example written in .NET, where the input is provided by the user.
Query= "SELECT * FROM users WHERE username = ‘ " +request.getParameter("input")+ " ' " ;
Below is the statement that this code builds:
SELECT * FROM users WHERE username = ‘input’
SQL Manipulation Attacks:
The most common SQL injection is SQL manipulation where the attacker attempts to modify an existing SQL query statement, and insert exploited statement into the database.
SELECT * FROM Users WHERE loginName = ‘ $user ‘ - - AND loginPassword = ‘ $password ‘
What if user enters:
$user = ‘ OR ‘1’ = ‘1
$password = ‘ OR ‘1’= ‘1
Since 1=1 is always true, the query will succeed and the attacker bypass authentication. Similar attacks can be conducted for numeric fields for which we don’t include quotes.
Another variation of SQL manipulation attack is to insert two consecutive dashes (–) or # in MySQL which comments out anything after it.
SELECT * FROM Users WHERE loginName = ‘ John ‘ - - AND Password = anything
SELECT * FROM Customers WHERE AccNumber = 1 OR 1 = 1 # AND Pin = anything
Code Injection Attack:
Another type of SQL injection attack, called code injection attack, is done by appending SQL statement or executable commands right after vulnerable SQL statement.
SELECT * FROM Users WHERE UserName = ‘John’ AND Password = ‘myPassword’; DROP TABLE users;
Or we can create a backdoor to the database by inserting a new record in the user table which would allow a hacker to access the database legally.
top
Demo:
1.OWASP WebGoat is a great web security teaching tool and a deliberately insecure web application. For this assignment, you need to install WebGoat 5.2,
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project OR http://code.google.com/p/webgoat/downloads/detail?name=readme-5.2.txt&can=2&q=
Consult the WebGoat user and Install Guide, available from the first WebGoat link above, for installation instructions. You’re free to install it on the operating system of your choice. After you unpack WebGoat, the readme.txt file will explain how to start it and access WebGoat through your web browser. Make sure that you take your computer off the Internet before using WebGoat.
1.Numeric SQL Injection
2.String SQL Injection
3.LAB: SQL Injection
You also need to install WebScarab which is basically an intercepting proxy.
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
top
Discussion Questions:
1.What are some examples of web applications that connect to a database server to access data?
2.What is the impact of SQL injection vulnerabilities?
3.What is the main reason for the existence of SQL injection vulnerability?
