Today's world is very much dependent on the web applications, may it shopping or financial transactions. Providing security to these web applications is very important. Most of the transaction information or the customer information is stored in the backend databases for these web applications. One of the vulnerabilities of these web applications. One of the vulnerabilities of these web applications is SQL (Structured Query Language) injection attack. SQL injection is a serious threat to Web application and it is more difficult to detect than first-order SQL injection. The attack payload of second-order SQL injection is from untrusted user input and stored in database or file system, the SQL statement submitted by web application is usually dynamically assembled by a trusted constant string in the program and untrusted user input and the DBMS in unable to distinguish the trusted and untrusted part of a SQL statement.
SQL injection attack is one of the most serious security vulnerabilities in Web application system, most of these vulnerabilities are caused by lack of input validation and SQL parameters use. Typical SQL injection attack and prevention technologies are introduced in the paper. The detecting methods not only validate user input, but also use type-safe SQL parameters. SQL injection defense model is established according to the detection processes, which is effective against SQL injection vulnerabilities. SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Web applications are everywhere on the Internet. Almost everything you do online is done through a web application whether you know it or not. They come in the form of web-based email, forums, bulletin boards, bill payment, recruitment systems, health benefit and payroll systems. It is important to understand that these types of websites are all database driven. Databases are an essential element of web applications because they are able to store user preferences, personal identifiable information, and other sensitive user information Web applications interact with databases to dynamically build customized content for each user. The web application communicates with the database using Structured Query Language (SQL). SQL is a programming language for managing databases that allows you to read and manipulate data in MySQL, SQL Server, Access, Oracle, DB2, and other database systems. The relationship between the web application and the database is commonly abused by attackers through SQL injection. SQL injection is a type of injection attack in which SQL commands are supplied in user-input variables, such as a web form entry field, in an attempt to trick the web application into executing the attacker's code on the database.
How it works:
Code injection is a type of utilization caused by processing invalid user inputs. The concept of injection attacks is to inject (or insert) malicious code into a program so as to change structure of SQL query. Such an attack may be performed by adding strings of malicious characters into data values in the form or argument values in the URL. Injection attacks generally take advantages of improper validation over input/output data. SQL Injection Attack or SQLIA is a type of code injection attacks which consist of injection of malicious SQL commands by means of input data from the client to the application that are later passed to the instance of the database for execution and aim to affect the execution of predefined SQL commands. There are a number of ways a programmer/system administrator can prevent or counter attacks made on their systems. In these ways a programmer or system administrator uses different techniques in development cycle of application which contains uses parameterized queries, least privilege, different account,
Manuscript received January 22, 2013; revised April 15, 2013. S. Sajjadi is with the Department of Electrical, Computer and IT Engineering, Islamic Azad University, Qazvin Branch, Qazvin, Iran (e-mail: s.sajjadi@qiau.ac.ir). B. Tajalli Pour is with Department of Computer Engineering, Islamic Azad University, Tehran North Branch, Tehran, Iran (e-mail: bahar_tj@yahoo.com).
customized error message and etc. Although these techniques remain the best way to prevent SQL injection vulnerabilities, but their application is problematic in practice. These techniques are prone to human errors and are not as rigorously and completely applied as automated techniques. Whereas most developers do make an effort to code safely, it is extremely difficult to apply defensive coding practices rigorously and correctly to all sources of input.
In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server.
The following server-side pseudo-code is used to authenticate users to the web application.
The above script is a simple example of authenticating a user with a username and a password against a database with a table named users, and a username and password column.
The above script is vulnerable to SQL Injection because an attacker could submit malicious input in such a way that would alter the SQL statement being executed by the database server.
A simple example of an SQL Injection payload could be something as simple as setting the password field to password’ OR 1=1.
This would result in the following SQL query being run against the database server.
An attacker can also comment out the rest of the SQL statement to control the execution of the SQL query further.
Once the query executes, the result is returned to the application to be processed, resulting in an authentication bypass. In the event of authentication bypass being possible, the application will most likely log the attacker in with the first account from the query result — the first account in a database is usually of an administrative user
To be successful, an attacker will first need to map out the tables on the database, a process called database foot printing. As Beth Breidenbach states: “Foot printing, or identifying the configuration of the server is one of the first steps in deciding how to attack a site.”
Conclusion:
In our paper, we have tried to discuss the modern SQL Injection attack which are less known to the general world as well as many researchers. They are very typical attack which are done on the web applications and web sites. They take considerable amount of time to understand as they are quite complex when compared with the classical SQL Injection Attacks. We have discussed the prevention and detection techniques of these attacks which we could able to find and apply in order to prevent these attacks. The prevention and detection techniques discussed are limited due to very less research done on these types attacks.These attacks can overcome the previous detection and prevention techniques. Hence, some times proper coding of Web Application holds very little value as it can overcome easily. The developer should have the good knowledge of these type of attacks can destroy the web application and whose implication can effect the businesses of an organization. Lastly, we have came up with the Evaluation of different detection and prevention techniques in which we compared it and came out with the general characteristics of the tools used.The future research or evaluation can be done to make more simplified and better protection and detection techniques while keeping in mind about the comparison of performance of different techniques related to Blink SQL Injection, Fast Flux SQL Injection and Compounded SQL Injection. Databases oftencontain sensitive information; therefore, an attacker could compromise confidentiality by viewing tables. An attacker may also jeopardize integrity by changing or deleting database records using SQL injection. In other words, an attacker could modify the queries to disclose, destroy, corrupt, or otherwise change the underlying data. It may even be possible to login to a web application as another user with no knowledge of the password if non-validated SQL commands are used to verify usernames and passwords. If a user's level of authorization is stored in the database it may also be changed through SQL injection allowing them more permissions then they should possess. If SQL queries are used for authentication and authorization, an attacker could alter the logic of those queries and bypass the security controls set up by the admin. Web applications may also be vulnerable to second order SQL injection. A second order SQL injection attack occurs when user-supplied data is first stored in the database, then later retrieved and used as part of a vulnerable SQL query. It is important to know how to identigy and remediate SQL injection vulnerabilities because the vast majority of data breaches are due to poorly coded web application. Any code that constructs SQL statements should be reviewed for sql injection vulnerabilities since a database server will exevute all queries that are syntactically valid. Also, keep in mind that even data has been parameteried can be manipulated by a skillful and persistent attacker. Therefore, web applications should be built with security in mind and regularly tested for SQL injection vulnerabilities.
You can download my report here