Professional Documents
Culture Documents
SQL Injection Attack
SQL Injection Attack
INTRODUCTION
SQL injection is a dangerous and a particularly widespread form of injection. The attacker finds a
parameter to exploit the SQL injection vulnerability which is passed to the database by the web
application. The malicious SQL command is embedded in the content of the parameter to trick the web
application to forward malicious queries to the database. The SQL attacks are easy to attempt as various
tools to scan these flaws are available. The results an attacker can gain are damaging as they can fetch,
destroy or corrupt database contents.
SQL injection vulnerabilities are extremely uncertain sometimes but they are normally easy to detect and
exploit. The application having the vulnerability towards SQL injection should be considered high [3].
INBAND SQLI
The same channel of communication is used by the attacker to gather desired results. This type of attack
is simple and efficient making it the most common attack. The sub categories of this attack are:
1) Error-Based SQLi: In this method the sequence of actions are performed by the attacker casing
database to generate error. The potential information produced by the database can be used by the
attacker to determine the structure of the database.
2) Union-Based SQLi: In this method the attacker takes advantage of the UNION QL operator,
which in order to get a single HTTP response fuses multiple select statements. The response in result may
provide data that can be useful to the attacker.
This query executed against the database authenticates the user since these are valid credentials.
Now if an attacker attempts to authenticate to a web application using the “password” OR ‘a’=’a’ password
value as payload. The following SQL statement will be executing against the database server:
SELECT name FROM user WHERE name=’admin’ and passwd=’password’ OR ‘a’=’a’
If this query executes successfully, it authenticates the attacker to an application since ‘a’=’a’ always returns
true.
8) Budget Shortfalls
Budget is certainly one of the factors when it comes to SQL injection, experts acknowledge that budget
shortcomings are keeping vulnerabilities alive. Reviewing the code to ensure that there is no vulnerability
takes time and of course it adds to the cost [7].
1) Input Validation
This is the process to verify the type of the input submitted by a user. It ensures the input by using type,
format, length and so on as the filter. the input values are filtered and allowed based on validation before
processing.it blocks any commands inserted in the input string.
2) Parameterized Queries
This method is used to make the database able to recognize the code and differentiate it from input data.
This is the process of pre-compiling an SQL statement; one can supply the parameters in order for the
statement to be executed.
3) Stored Procedures
This method requires the developer to group more SQL statements into a logical unit to execute. These
executions allow statements to be automatically parameterized. This means instead of writing the query
again and again one can just call the stored procedure.
4) Escaping
Use of character-escaping functions must be used for user supplied input provided by every database
management system (DBMS). This makes sure that DBMS does not confuse it with SQL statements
provided by the developer.
5) Administrative Privilege
Application should not be connected to the database with the root access account unless it is utterly
needed because it may be used by an attacker to gain access to the whole system. The enforcement of
least privilege should be applied to protect applications against SQL injection.
6) Web Application Firewall
It works as a barrier between the internet and web application. WAP firewall operates in the frontend and
monitors ingoing and outgoing traffic. It protects web applications from SQL injections and several more
threats as well. Therefore WAP is recommended to consider when it comes to defending the web
application as well as database [8]
CONCLUSION
Several reasons why SQL injections are still a threat were discussed along with the mechanism of working
of the SQL injections. Proper techniques and mechanism of SQL injection has been also discussed for
better understanding of the threats. Studies tell us that SQL injection attacks are 100% stoppable with the
help of techniques, methods and Web application firewalls. Some common prevention techniques are
also discussed. Most important factor to keep in mind is web application and database design. If
developers consider the design recommendations while developing applications, the database server can
handle the threat of SQL injections. So use of web application firewalls with a mixture of techniques like
stored procedures, input validation and escaping must be used while designing applications and surely
these attacks will cease to exist.
REFERENCES
[1] E. Janot και P. Zavarsky, ‘Preventing SQL Injections in Online Applications: Study, Recommendations and
Java Solution Prototype Based on the SQL DOM’, 2008.
[2] ‘OWASP.png (311×320)’. https://sdtimes.com/wp-content/uploads/2017/11/OWASP.png (ημερομηνία
πρόσβασης Φεβρουαρίου 04, 2021).
[3] ‘OWASP Top Ten Web Application Security Risks | OWASP’. https://owasp.org/www-project-top-ten/
(ημερομηνία πρόσβασης Ιανουαρίου 22, 2021).
[4] ‘What is SQL Injection | SQLI Attack Example & Prevention Methods | Imperva’, Learning Center.
https://www.imperva.com/learn/application-security/sql-injection-sqli/ (ημερομηνία πρόσβασης Ιανουαρίου 23,
2021).
[5] ‘What Is SQL Injection and How Does It Work? | Synopsys’. https://www.synopsys.com/glossary/what-is-sql-
injection.html (ημερομηνία πρόσβασης Φεβρουαρίου 02, 2021).
[6] ‘Why is SQL Injection Still Around?’, Veracode. https://www.veracode.com/blog/2016/04/why-sql-injection-
still-around (ημερομηνία πρόσβασης Φεβρουαρίου 03, 2021).
[7] ‘10 Reasons SQL Injection Still Works’, Dark Reading.
https://www.darkreading.com/database/10-reasons-sql- injection-still-works/240154405 (ημερομηνία πρόσβασης
Ιανουαρίου 23, 2021).
[8] ‘How to prevent SQL injection attacks’.
https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how- to-prevent-sql-injection-attacks/ (ημερομηνία
πρόσβασης Φεβρουαρίου 03, 2021).