SQL Injection Attack
SQL Injection Attack. How to prevent SQL Injection Attacks?
WHAT IS SQL INJECTION
SQL injection, also known as SQLI,
is a common attack vector that uses malicious SQL code for backend
database manipulation to access information that was not intended to be
displayed. This information may include any number of items, including
sensitive company data, user lists or private customer details.
SQL Injection Attacks
SQL injection is a hacking technique that was discovered more
than fifteen years ago and is still proving to be devastatingly
effective today, remaining a top database security priority. It was used
in the run-up to the 2016 U.S. presidential election to compromise the personal data of 200,000
Illinois voters, as well as in high-profile attacks against
organizations such as Sony Pictures, PBS, Microsoft, Yahoo, Heartland
Payment Systems, and even the CIA.
SQL,
or Structured Query Language, is the command-and-control language for
relational databases such as Microsoft SQL Server, Oracle, and MySQL. In
modern web development, these databases are often used on the back end
of web applications and content management systems written in PHP,
ASP.NET or other scripting languages – meaning that both the content and
behavior of many websites is built on data in a database server.
Steps To Prevent SQL Injection Attacks
1) Trust
no one: Assume all user-submitted data is evil so use input validation
via a function such as MySQL's mysql_real_escape_string() to ensure that
any dangerous characters such as ' are not passed to a SQL query in
data. You should also sanitize everything by filtering user data by
context. For example, email addresses should be filtered to allow only
the characters allowed in an e-mail address, phone numbers should be
filtered to allow only the digits allowed in a phone number, and so on.
2) Don't
use dynamic SQL – don't construct queries with user input: Even data
sanitization routines can be flawed, so use prepared statements,
parameterized queries or stored procedures instead whenever possible.
But don't forget that while stored procedures prevent some types of SQL
injection attacks, they fail to protect against many others, so don't
rely exclusively on their use for your security.
3) Update
and patch: Vulnerabilities in applications and databases that hackers
can exploit using SQL injection are regularly discovered, so it's vital
to apply patches and updates as soon as practical. A patch management
solution might be worth the investment.
4) Use
appropriate privileges: Don't connect to your database using an account
with admin-level privileges unless there is some compelling reason to
do so. Using a limited access account is far safer, and can limit what a
hacker is able to do. For example, the code behind a login page should
query the database using an account limited only to the relevant
credentials table. This way, a breach through this channel cannot be
leveraged to compromise the entire database.
5) Keep
your secrets secret: Assume that your application is not secure and act
accordingly by encrypting or hashing passwords and other confidential
data, including connection strings.
6) Don't
divulge more information than you need to: Hackers can learn a great
deal about database architecture from error messages, so ensure that
they display minimal information. Use the "RemoteOnly" customErrors mode
(or equivalent) to display verbose error messages on the local machine
while ensuring that an external hacker gets nothing more than the fact
that his or her actions resulted in an unhandled error.
7) Continuously
monitor SQL statements from database-connected applications: This will
help identify rogue SQL statements and vulnerabilities. Monitoring tools
that utilize machine learning and/or behavioral analysis can be
especially useful.
8) Buy
better software: Make code writers responsible for checking the code
and for fixing security flaws in custom applications before the software
is delivered. SANS suggests you incorporate terms from this sample
contract into your agreement with any software vendor.
⦁ Error-based SQLi
Error-based
SQLi is an in-band SQL Injection technique that relies on error
messages thrown by the database server to obtain information about the
structure of the database. In some cases, error-based SQL injection
alone is enough for an attacker to enumerate an entire database. While
errors are very useful during the development phase of a web
application, they should be disabled on a live site, or logged to a file
with restricted access instead.
1. Union-based SQLi
Union-based
SQLi is an in-band SQL injection technique that leverages the UNION SQL
operator to combine the results of two or more SELECT statements into a
single result which is then returned as part of the HTTP response.
2. Inferential SQLi (Blind SQLi)
Inferential
SQL Injection, unlike in-band SQLi, may take longer for an attacker to
exploit, however, it is just as dangerous as any other form of SQL
Injection. In an inferential SQLi attack, no data is actually
transferred via the web application and the attacker would not be able
to see the result of an attack in-band (which is why such attacks are
commonly referred to as “blind SQL Injection attacks”). Instead, an
attacker is able to reconstruct the database structure by sending
payloads, observing the web application’s response and the resulting
behavior of the database server.
The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.
1. Boolean-based (content-based) Blind SQLi
Boolean-based
SQL Injection is an inferential SQL Injection technique that relies on
sending an SQL query to the database which forces the application to
return a different result depending on whether the query returns a TRUE
or FALSE result.
Depending
on the result, the content within the HTTP response will change, or
remain the same. This allows an attacker to infer if the payload used
returned true or false, even though no data from the database is
returned. This attack is typically slow (especially on large databases)
since an attacker would need to enumerate a database, character by
character.
2. Time-based Blind SQLi
Time-based
SQL Injection is an inferential SQL Injection technique that relies on
sending an SQL query to the database which forces the database to wait
for a specified amount of time (in seconds) before responding. The
response time will indicate to the attacker whether the result of the
query is TRUE or FALSE.
Depending
on the result, an HTTP response will be returned with a delay, or
returned immediately. This allows an attacker to infer if the payload
used returned true or false, even though no data from the database is
returned. This attack is typically slow (especially on large databases)
since an attacker would need to enumerate a database character by
character.
3. Out-of-band SQLi
Out-of-band
SQL Injection is not very common, mostly because it depends on features
being enabled on the database server being used by the web application.
Out-of-band SQL Injection occurs when an attacker is unable to use the
same channel to launch the attack and gather results.
Out-of-band
techniques, offer an attacker an alternative to inferential time-based
techniques, especially if the server responses are not very stable
(making an inferential time-based attack unreliable).
Out-of-band
SQLi techniques would rely on the database server’s ability to make DNS
or HTTP requests to deliver data to an attacker. Such is the case with
Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS
requests to a server an attacker controls; as well as Oracle Database’s
UTL_HTTP package, which can be used to send HTTP requests from SQL and
PL/SQL to a server an attacker controls.
SQL Injection Attacks
SQL injection is a hacking technique that was discovered more
than fifteen years ago and is still proving to be devastatingly
effective today, remaining a top database security priority. It was used
in the run-up to the 2016 U.S. presidential election to compromise the personal data of 200,000
Illinois voters, as well as in high-profile attacks against
organizations such as Sony Pictures, PBS, Microsoft, Yahoo, Heartland
Payment Systems, and even the CIA.
SQL,
or Structured Query Language, is the command-and-control language for
relational databases such as Microsoft SQL Server, Oracle, and MySQL. In
modern web development, these databases are often used on the back end
of web applications and content management systems written in PHP,
ASP.NET or other scripting languages – meaning that both the content and
behavior of many websites is built on data in a database server.2) Don't use dynamic SQL – don't construct queries with user input: Even data sanitization routines can be flawed, so use prepared statements, parameterized queries or stored procedures instead whenever possible. But don't forget that while stored procedures prevent some types of SQL injection attacks, they fail to protect against many others, so don't rely exclusively on their use for your security.
3) Update and patch: Vulnerabilities in applications and databases that hackers can exploit using SQL injection are regularly discovered, so it's vital to apply patches and updates as soon as practical. A patch management solution might be worth the investment.
4) Use appropriate privileges: Don't connect to your database using an account with admin-level privileges unless there is some compelling reason to do so. Using a limited access account is far safer, and can limit what a hacker is able to do. For example, the code behind a login page should query the database using an account limited only to the relevant credentials table. This way, a breach through this channel cannot be leveraged to compromise the entire database.
5) Keep your secrets secret: Assume that your application is not secure and act accordingly by encrypting or hashing passwords and other confidential data, including connection strings.
6) Don't divulge more information than you need to: Hackers can learn a great deal about database architecture from error messages, so ensure that they display minimal information. Use the "RemoteOnly" customErrors mode (or equivalent) to display verbose error messages on the local machine while ensuring that an external hacker gets nothing more than the fact that his or her actions resulted in an unhandled error.
7) Continuously monitor SQL statements from database-connected applications: This will help identify rogue SQL statements and vulnerabilities. Monitoring tools that utilize machine learning and/or behavioral analysis can be especially useful.
8) Buy better software: Make code writers responsible for checking the code and for fixing security flaws in custom applications before the software is delivered. SANS suggests you incorporate terms from this sample contract into your agreement with any software vendor.
Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead.
1. Union-based SQLi
Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
2. Inferential SQLi (Blind SQLi)
Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band (which is why such attacks are commonly referred to as “blind SQL Injection attacks”). Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server.
The two types of inferential SQL Injection are Blind-boolean-based SQLi and Blind-time-based SQLi.
1. Boolean-based (content-based) Blind SQLi
Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.
2. Time-based Blind SQLi
Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.
Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
3. Out-of-band SQLi
Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.
Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).
Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.
0 Comments