SQL injection Current high threat In Database Attack
Enterprise database infrastructures, which often contain the crown jewels of an organization, are subject to a wide range of attacks on the Data stored at their Backend.
The face of the attacks may vary in the list,
1. Excessive privileges
2. Privilege abuse
3. SQL injection
4. Platform vulnerabilities
5. Exposure of backup data
6. Weak audit
7. Denial of service
8. Weak authentication
9. Database protocol vulnerabilities
10.Unauthorized privilege elevation
More than 70% of data breaches are executed using SQL injection attacks (according to Reports). Additionally, 40% of SQL injection attacks are generated automatically by third party tools. The trend is moving towards increased automation of attacks
SQL injection is a technique often used to attack a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in a website’s software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQLi involves entering malicious commands into URLs and text fields on vulnerable websites, usually to steal the contents of databases storing valuable data such as credit card details.
Even though websites can be protected easily, the attack method has been associated with many high-profile data breaches, including Sony in 2011.
SQL injection attacks have been going on for years, and the vulnerabilities and exploitation techniques are well-understood and widely discussed. However, they’re still quite prevalent and are used in a variety of scenarios. One recent example is the attack on a Yahoo site that resulted in a breach of 450,000 usernames and passwords.
How does an attacker compromise your SQL server?
Before a web site can be compromised, an attacker needs to find applications that are vulnerable to SQL injection using queries to learn the SQL application methods and its response mechanisms.
The attacker has two ways to identify SQL injection vulnerabilities:
- Error messages: the attacker constructs the correct SQL syntax based on errors messages propagated from the SQL server via the front-end web application. Using the errors received, the hacker learns the internal SQL database structure and how to attack by injecting SQL queries via the Web application parameters.
- Blindfolded Injection: this technique is utilized by hackers in situations where no error messages or response content is returned from the database. In these cases, the attacker lacks the ability to learn the backend SQL queries in order to balance the SQL injection query. In the lack of database content output within the Web application, the attacker is also challenged with finding a new way of retrieving the data.
Identifying the database
When the attacker knows how each database is reacting he identify the database type and the server that is running it.
There are several techniques the attacker uses to identify database objects in a SQL statement.
- Using a concatenation string:
- Using a semicolon or cash sign ($)
Compromising the SQL server
Once the attacker has all information he can build the exploit code.
Some techniques used to execute SQL Injection attacks are:
- Terminating queries using quotes, double-quotes, SQL comments
- Using stored procedures
- Database manipulation commands such as TRUNCATE, DROP
- Using CASE WHEN, EXEC to run nested queries
- Utilizing SQL injection to create Buffer Overflow attacks within the database server
- Delivering SQL queries via XML and Web Services
- Blindfolded SQL Injection techniques:
- Blindfolded injection techniques using Boolean queries and WAITFOR DELAY
- Comparison queries using commands such as BETWEEN, LIKE, ISNULL
- IDS signature evasive SQL Injection techniques:
- Using CONVERT & CAST commands to mask the attack payload Using Null bytes to break the signature pattern
- Using HEX encoding mixtures
- Using SQL CHAR() to represent ASCII values as numbers
For example, the attacker decides to go with a basic attack using:
1 = 1–
What happens when this is entered into an input box is that the server recognizes 1 = 1 as a true statement. Since — is used for commenting, everything after that is ignored making it possible for the attacker to gain access to the database.
Such set of techniques is therefore required to be analyzed and accordingly precautions to be taken while developing projects such SQL Injection Prevention and Detection systems, thereby adding to the security of the system.