SQL INJECTION

Contents
SQL
SQL Injection
Classification of Attacks
Attack Techniques
Prevention Techniques
Conclusion

SQL (Structured Query
Language)
Standard language for relational database management
systems, as per ANSI.
Used to perform tasks such as update data on a database, or
retrieve data from a database.
Standard SQL commands such as Select Insert, Update,
Delete, Create, and Drop.

SQL Injection
A technique used to take advantage of non-validated input
to pass SQL commands through a web application for
execution by a backend database.
Programmers often chain together SQL commands with user-
provided parameters.

Classification of Attacks
Identifying Database Finger-Print
Identifying Injectable Parameters
Discovering Database Schema
Bypassing Authentication
Extracting/Modifying Database Data
Downloading/Uploading File
Executing Remote Commands
Escalating Privilege


Attack
Techniques

1.Tautology : Exploit where
clause



Create a query that always evaluates to true for entries in
the database. To bypass authentication pages and extract
data. If attacker submits user or 1=1 - for the login
input field.
The resulting query is:
SELECT info FROM userTable WHERE username=user or
1=1 AND password=
Injecting through input string

user = ' or 1=1
password = anything

Final query would look like this:
SELECT * FROM acct
WHERE username = ' ' or 1=1
' AND password = 'anything'


2. Piggy-backed Query:

Injecting through input string

usr = xyz
pwd = 0;drop table users

Final query would look like this:
SELECT * FROM acct
WHERE username = ' xyz '
AND password = 0;drop table users


3. Union Query: To retrieve specific
information

Injecting through input string
usr = ' UNION SELECT cardNo from CreditCards where
acctNo = 7032 --
pwd = anything
Final query would look like this:
SELECT * FROM acct
WHERE username = UNION SELECT cardNo from
CreditCards where acctNo = 7032
-- AND password = anything

Prevention Techniques
1. Use Parameterized Queries
Separates data from query.

Allow creation of static queries with bind variables.

2. Customized Error Messages
Knowing database schema makes attackers job easier.

Avoid display detailed error messages and stack traces to
external users.

3. White List Based Validation
Involves defining exactly what IS authorized

Allow input within well-defined set of safe values
- By defining a very strong validation pattern

Implement stringent "known bad" filters
Eg: Reject "select", "insert", "update", "shutdown",
"delete", "drop", "--",

4. Limiting Privileges
Admin type access rights to the application accounts must be
avoided.

Create a view that limits access to that portion of the data.

5. Other preventions
Validate and filter the input data using strong Regular
expression patterns.

System Stored Procedure Reduction.

Encrypting Sensitive Data.

Conclusion
Present day development is more focused on Web
Applications so there is an urgent need for educating the
developers & Students on SQL Injection thereby allowing
programmers and system administrators to understand the
attacks more thoroughly, more attacks will be detected and
more countermeasures will be introduced into the systems.

Thank You
Questions ?