Amir Ali Qureshi (s5308075)

SQL INJECTION ATTACK

INTRODUCTION

SQL injection is a dangerous and a particularly widespread form of injection. The attacker finds a
parameter to exploit the SQL injection vulnerability which is passed to the database by the web
application. The malicious SQL command is embedded in the content of the parameter to trick the web
application to forward malicious queries to the database. The SQL attacks are easy to attempt as various
tools to scan these flaws are available. The results an attacker can gain are damaging as they can fetch,
destroy or corrupt database contents.

SQL injection vulnerabilities are extremely uncertain sometimes but they are normally easy to detect and
exploit. The application having the vulnerability towards SQL injection should be considered high [3].

TYPES OF SQL INJECTIONS

SQL injections have generally three categories which are:
1. Inband SQLi – the classic SQL injection
2. Inferential SQLi – the blind SQL injection
3. Outbound SQLi - the alternate SQL injection

INBAND SQLI
The same channel of communication is used by the attacker to gather desired results. This type of attack
is simple and efficient making it the most common attack. The sub categories of this attack are:

1) Error-Based SQLi: In this method the sequence of actions are performed by the attacker casing
database to generate error. The potential information produced by the database can be used by the
attacker to determine the structure of the database.
2) Union-Based SQLi: In this method the attacker takes advantage of the UNION QL operator,
which in order to get a single HTTP response fuses multiple select statements. The response in result may
provide data that can be useful to the attacker.

INFERENTIAL (BLIND )SQLI

In this type of SQL injection attack, data payload is sent to the server by the attacker. Then behavior and
response of the attacker is observed to find out more about its structure. In this method data is not
transferred to the attacker from the website database. This is why the attacker cannot see the information
about the attack in-band. Hence this method is called blind SQLi.
Blind response depends upon the behavior and response patterns of targeted servers, that is why they are
typically slower to execute but can cause harm just as other injection techniques. They are also divided
into two categories:
3) Boolean Based Attack: in this technique a SQL query is sent to the database by the attacker
causing the application to return a result. Depending upon the query the result is either true or false.
Based on this result, an HTTP response will modify or remain unchanged. Then it is worked out by the
attacker if the message has returned false or true, without relying on data from the database.
4) Time Based Attack: In this technique a SQL query is sent to the database by the attacker causing
the database to wait (for seconds) before it can react. The time taken by the database to respond can be
determined by the attacker to check if the query is true or false. Then HTTP response will be generated
instantly or after a waiting period based on the result. Thus the attacker can work out if the message he
used returned false or true, without relying on data from the database
5) Out-of-Band SQL Injection: This type of attack is carried out by the attacker if some features of
the database server are enabled by the web application. This technique is used as an alternative to the
in-band and inferential SQL injection techniques.
Out-of-band SQL injection is performed when the attacker cannot use the same channel to launch the
attack and perform information gathering. These techniques depend upon the capacity of the server to
create HTTP or DNS requests to transfer data to an attacker [4].

SQL INJECTION WORKING MECHANISM

The attacker injects SQL control characters and command keywords (single quote (‘), double quote (“),
equal (=), comment (--), etc.) to change the structure of query. Combining them with SQL commands
(SELECT, DELETE, FROM, etc.) enables retrieval of data elements or access to a backend database server.

SQL ATTACK WITH AN EXAMPLE

In this example we have the code to accept a username and password from a user. Input provided by the
user crafts a SQL query to be executed against a database. The database has the Table having name ‘User’
with columns for name and password.
Now let’s consider a user is authenticating to a web application with “Amir” as a username and “12345”
as a password. These credentials are valid. During application login, SQL statement that executes against
database is as under:

SELECT name FROM user WHERE name=’Amir’ AND passwd=’12345’

This query executed against the database authenticates the user since these are valid credentials.
Now if an attacker attempts to authenticate to a web application using the “password” OR ‘a’=’a’ password
value as payload. The following SQL statement will be executing against the database server:
SELECT name FROM user WHERE name=’admin’ and passwd=’password’ OR ‘a’=’a’
If this query executes successfully, it authenticates the attacker to an application since ‘a’=’a’ always returns
true.

SUCCESSFUL ATTACK BENEFITS TO ATTACKERS

Following are some benefits which an attacker can have if he successfully launches an attack and enters
the database server.
Boolean Based Attack: An attacker can successfully gain illegitimate access to a database server
bypassing the application's authentication mechanism.
1) Disclosure of Information: Successful attacks can cause complete data leakage in the web
application’s database.
2) Data Loss: Data can be deleted by the attacker from the database server causing
unavailability of the data.
3) Compromised data integrity: Since SQL commands and statements are also used to add or
modify the record, the attacker can compromise the data integrity by using SQL statements to add and
modify data stored [5].
4) Boolean Based Attack: An attacker can successfully gain illegitimate access to a database
server bypassing the application's authentication mechanism.
5) Disclosure of Information: Successful attacks can cause complete data leakage in the web
application’s database.
6) Data Loss: Data can be deleted by the attacker from the database server causing
unavailability of the data.
7) Compromised data integrity: since SQL commands and statements are also used to add or
modify the record, the attacker can compromise the data integrity by using SQL statements to add and
modify data stored [5].
8) Boolean Based Attack: An attacker can successfully gain illegitimate access to a database
server bypassing the application's authentication mechanism.
9) Disclosure of Information: Successful attacks can cause complete data leakage in the web
application’s database
10) Data Loss: Data can be deleted by the attacker from the database server causing
unavailability of the data.
11) Compromised data integrity: Since SQL commands and statements are also used to add or
modify the record, the attacker can compromise the data integrity by using SQL statements to add and
modify data stored [5].
REASONS FOR EXISTENCE OF SQL INJECTION ATTACKS
The only answer to the question “why this SQL injection attack still exists?” it all connects to one crucial
factor which is lack of knowledge about the working of SQL injection’. There are additional factors that
pave way for the SQLi attacks whether they are technical missteps, attack environment or business
process issue are as follow[6]:
1) Maintaining Juicy Target
Most organizations are not engaging in distributed security. If an organization encrypts data in the
database and the encryption key is stored somewhere else that is called distributed security. The issue is
SQL injection attacks normally extract such valuable data. The attractiveness of attackers can be greatly
reduced to use this attack type if organizations do a better job.
2) At Least Go Least Privilege
Since many organizations make it too easy to dive into the network for an attacker following a successful
attack. This happens because they fail to follow the rule of least privilege within application accounts.
Most applications use database logins with administrative privileges. Although they don’t need this
privilege because they should not be deleting or creating tables.

3) SQLi: Attacker’s”Easy Button”

SQL injection is one of the easiest attack vectors at the application layer.it just requires a quick user Input
alteration of a query. These attacks can be performed using a single PC. On the other hand, an attacker
will need the botnet to perform most attacks.
4) Insecure Development Architecture
The main reason why injection still works is improper development planning and use of insecure
development architecture. Several techniques can be implemented individually or combined to the
security of the portal against SQL injections which include stored procedure or pattern checks, proper
validation or even extra security on the database.
5) Trusting Input
The developers and their organization presume that users will send only legitimate input and this too
much trust causes them higher cost. Trusting input without verification is one key reason for an attacker’s
window to jump right into the database. Some developers unintentionally code applications which blindly
accept any input without validation.
6) Legacy Code
The applications having legacy codes are considered time bomb for SQL injections. In the early days of the
internet when scripting languages were dominant, organizations were astonished to know how to connect
databases to a website. Security was not considered much because SQL injection did not exist in
developers’ minds. These systems were not developed to withstand the variant of attacks.
7) Flaws easy to Fall Through Cracks
It is easy for attackers to find and exploit SQL injection vulnerabilities and on the other hand it is harder to
find each and every vulnerability that can be potentially targeted. Around thousands of queries typical to
size application, at least 2 % can be useful in SQL injections. The only thing an attacker needs to do is find
one of them and the database is compromised.

8) Budget Shortfalls
Budget is certainly one of the factors when it comes to SQL injection, experts acknowledge that budget
shortcomings are keeping vulnerabilities alive. Reviewing the code to ensure that there is no vulnerability
takes time and of course it adds to the cost [7].

PRACTICAL EXAMPLE OF AN SQL INJECTION ATTACK

Source Code
Using ‘1=1’ In Input Field:

Using ‘ORDER BY’ Clause In Input Field:

Using ‘UNION CLAUSE’ Clause In Input Field

Entering User Id As ‘1’

PREVENTION TECHNIQUES TO BE NOTED

Here are some simple techniques developers must consider to prevent SQL injection attacks.

1) Input Validation
This is the process to verify the type of the input submitted by a user. It ensures the input by using type,
format, length and so on as the filter. the input values are filtered and allowed based on validation before
processing.it blocks any commands inserted in the input string.
2) Parameterized Queries
This method is used to make the database able to recognize the code and differentiate it from input data.
This is the process of pre-compiling an SQL statement; one can supply the parameters in order for the
statement to be executed.
3) Stored Procedures
This method requires the developer to group more SQL statements into a logical unit to execute. These
executions allow statements to be automatically parameterized. This means instead of writing the query
again and again one can just call the stored procedure.
4) Escaping
Use of character-escaping functions must be used for user supplied input provided by every database
management system (DBMS). This makes sure that DBMS does not confuse it with SQL statements
provided by the developer.
5) Administrative Privilege
Application should not be connected to the database with the root access account unless it is utterly
needed because it may be used by an attacker to gain access to the whole system. The enforcement of
least privilege should be applied to protect applications against SQL injection.
6) Web Application Firewall
It works as a barrier between the internet and web application. WAP firewall operates in the frontend and
monitors ingoing and outgoing traffic. It protects web applications from SQL injections and several more
threats as well. Therefore WAP is recommended to consider when it comes to defending the web
application as well as database [8]

CONCLUSION
Several reasons why SQL injections are still a threat were discussed along with the mechanism of working
of the SQL injections. Proper techniques and mechanism of SQL injection has been also discussed for
better understanding of the threats. Studies tell us that SQL injection attacks are 100% stoppable with the
help of techniques, methods and Web application firewalls. Some common prevention techniques are
also discussed. Most important factor to keep in mind is web application and database design. If
developers consider the design recommendations while developing applications, the database server can
handle the threat of SQL injections. So use of web application firewalls with a mixture of techniques like
stored procedures, input validation and escaping must be used while designing applications and surely
these attacks will cease to exist.
REFERENCES
[1] E. Janot και P. Zavarsky, ‘Preventing SQL Injections in Online Applications: Study, Recommendations and
Java Solution Prototype Based on the SQL DOM’, 2008.
[2] ‘OWASP.png (311×320)’. https://sdtimes.com/wp-content/uploads/2017/11/OWASP.png (ημερομηνία
πρόσβασης Φεβρουαρίου 04, 2021).
[3] ‘OWASP Top Ten Web Application Security Risks | OWASP’. https://owasp.org/www-project-top-ten/
(ημερομηνία πρόσβασης Ιανουαρίου 22, 2021).
[4] ‘What is SQL Injection | SQLI Attack Example & Prevention Methods | Imperva’, Learning Center.
https://www.imperva.com/learn/application-security/sql-injection-sqli/ (ημερομηνία πρόσβασης Ιανουαρίου 23,
2021).
[5] ‘What Is SQL Injection and How Does It Work? | Synopsys’. https://www.synopsys.com/glossary/what-is-sql-
injection.html (ημερομηνία πρόσβασης Φεβρουαρίου 02, 2021).
[6] ‘Why is SQL Injection Still Around?’, Veracode. https://www.veracode.com/blog/2016/04/why-sql-injection-
still-around (ημερομηνία πρόσβασης Φεβρουαρίου 03, 2021).
[7] ‘10 Reasons SQL Injection Still Works’, Dark Reading.
https://www.darkreading.com/database/10-reasons-sql- injection-still-works/240154405 (ημερομηνία πρόσβασης
Ιανουαρίου 23, 2021).
[8] ‘How to prevent SQL injection attacks’.
https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how- to-prevent-sql-injection-attacks/ (ημερομηνία
πρόσβασης Φεβρουαρίου 03, 2021).