SQL Injection

(CPSC620)

Sanjay Tibile

Vinay Deore

Agenda

Database and SQL

What is SQL Injection?

Types

Example of attack

Prevention

References

Database :A database is an organized collection of data for one or more purposes in digital form.

SQL : It is a programming language designed for managing data in relational database management systems (RDBMS).

SQL Injection:SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.

A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to dump the database content to the attacker.

Many web applications take user input from a form, Often this user input is used literally in the construction of a SQL query submitted to a database.

Examples :Brute-force password guessingSELECT email, passwd, login_id, full_name FROM members WHERE email = 'bob@example.com' AND passwd = 'hello123';

The database isn't readonlySELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP TABLE members;

Adding a new memberSELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');

Mail me a passwordSELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = 'steve@unixwiz.net' WHERE email = 'bob@example.com';

Types

Incorrect Type Handling

Poorly Filtered Strings

White Space Multiplicitytackers get hold of the error information

Using SQL injections, attackers can

Add new data to the databaseCould be embarrassing to find yourself selling some inappropriate items on your sitePerform an INSERT in the injected SQL

Modify data currently in the databaseCould be very costly to have an expensive item suddenly be deeply ‘discounted’Perform an UPDATE in the injected SQL

Often can gain access to other user’s system capabilities by obtaining their password

Examples: In January 2008, tens of thousands of PCs were

infected by an automated SQL injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store.

On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised by TinKode using SQL blind injection.

In August, 2011, Hacker Steals User Records From Nokia Developer Site using "SQL injection“.

Sony Playstation user data compromised.

DefensesPrivilege Restrictions Restrict functions that are not necessary for

the application

Use stored procedures for database access use stored procedures for performing access

on the application's behalf, which can eliminate SQL entirely.

More Defenses Check syntax of input for validity

Many classes of input have fixed languagesEmail addresses, dates, part numbers, etc.Verify that the input is a valid string in the languageSometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow theseIf you can exclude quotes and semicolons that’s good

Have length limits on input Many SQL injection attacks depend on entering long

strings

Limit database permissions and segregate users Even a "successful" SQL injection attack is going to

have much more limited success.

Isolate the webserver For instance, putting the machine in a DMZ with

extremely limited pinholes.

Configure database error reportingDefault error reporting often gives away information that is valuable for attackers (table name, field name, etc.)Configure so that this information is never exposed to a user

If possible, use bound variablesSome libraries allow you to bind inputs to variables inside a SQL statementPERL example (from http://www.unixwiz.net/techtips/sql-injection.html)$sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email);

References:-

http://www.unixwiz.net/techtips/sql-injection.html

http://msdn.microsoft.com/en-us/library/ms161953.aspx

http://php.net/manual/en/security.database.sql-injection.php

http://en.wikipedia.org/wiki/SQL_injection

Thank You!!!