Scribd
Upload
13 views

Ch05 (I) (SQL Injection)

Uploaded by

vamshipriyastorage1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
13 views

Ch05 (I) (SQL Injection)

Uploaded by

vamshipriyastorage1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 11

SQL Injection

Structured Query Language


• Structure Query Language (SQL)
– originally developed by IBM in the mid-1970s
– standardized language to define, manipulate,
and query data in a relational database
– several similar versions of ANSI/ISO standard
CREATE TABLE department ( CREATE VIEW newtable (Dname, Ename, Eid, Ephone)
Did INTEGER PRIMARY KEY, AS SELECT D.Dname E.Ename, E.Eid, E.Ephone
Dname CHAR (30), FROM Department D Employee E
Dacctno CHAR (6) )
WHERE E.Did = D.Did

CREATE TABLE employee (


Ename CHAR (30),
Did INTEGER,
SalaryCode INTEGER,
Eid INTEGER PRIMARY KEY,
Ephone CHAR (10),
FOREIGN KEY (Did) REFERENCES department (Did) )

2
SQL injection attacks
• One of the most prevalent and dangerous network-based
security threats
• Sends malicious SQL commands to the database server
• Depending on the environment SQL injection can also be
exploited to:
– Modify or delete data
– Execute arbitrary operating system commands
– Launch denial-of-service (DoS) attacks

3
A typical
injection
attack

4
Sample SQL injection
• The SQLi attack typically works by prematurely
terminating a text string and appending a new command

SELECT fname
FROM student
where fname is ‘user prompt’;

User: John’; DROP table Course;--

5
SQLi attack avenues
• User input: Attackers inject SQL commands by providing suitably
crafted user inputs.
 Typically comes from form submissions that are sent to the web application via
HTTP GET or POST
• Server variables: Collection of variables that contain HTTP headers,
n/w protocol headers and environmental variables. Attackers can
forge these values, which are then triggered during query.
• Second order injection: Occurs when incomplete prevention
mechanisms against SQLi attacks are in place. The attack occurs
from within the system.
• Cookies: Stores the client’s state information. An attacker can alter
cookies such that such that the structure and function of query is
modified.

6
In-band attacks
• Tautology: This form of attack injects code in one or
more conditional statements so that they always evaluate
to true
• End-of-line comment: After injecting code into a
particular field, legitimate code that follows are nullified
through usage of end of line comments
• Piggybacked queries: The attacker adds additional
queries beyond the intended query, piggy-backing the
attack on top of a legitimate request

7
Sample SQL injection: tautology
$query= “
SELECT info FROM user WHERE name =
`$_GET[“name”]’ AND pwd = `GET[“pwd”]`
”;

Attacker enters: ` OR 1=1 –-

Resulting query:
SELECT info FROM users WHERE name = ` ` OR 1=1 – AND
pwd = ` `

8
Inferential attack
• There is no actual transfer of data. The attacker can
reconstruct information by an inference channel.
• Illegal/Logically incorrect queries: Attacker gathers info
about the type and structure of the backend database.
 preliminary, info-gathering step for other attacks
 default error page returned by app servers is often descriptive
• Blind SQL: Allows attackers to infer data when the system is
secure to not display any erroneous info back to the attacker.
 Attacker asks TRUE/FALSE questions.
 If TRUE, the site continues normal operation
 If FALSE, the page differs significantly from the normal operations
 https://owasp.org/www-community/attacks/Blind_SQL_Injection

9
Out-band attack
• This can be used when there are limitations on
information retrieval, but outbound connectivity from the
database server is lax

10
SQLi countermeasures
• Defensive coding: stronger data validation
• Detection
– Signature based
– Anomaly based
– Code analysis
• Runtime prevention: Check queries at runtime to see if
they conform to a model of expected queries

11

You might also like