SQL INJECTION

INTRODUCTION

Due to more advancements and use of languages like ASP.NET, Javascripts and many more, all data and content of site are being stored into the cloud databases supported and this makes application more vulnerable to attacks. Every serer side scripting languages supports popular sql databases. Thus this back hole allows hackers to penetrate into these cloud databases through their attack vectors.

SQL injection vulnerability is the most dangerous one as it compromises data integrity and authenticity and this been listed among top 10 in OWASP list with exploits being updated regularly [1].

WHAT IS SQL INJECTIONS?

SQL injections is the mechanism of injecting malicious inputs through benign sql command  into data base server which when executed will perform undesired actions[2] like stealing of data ,privilege escalations.  For technical explanation let us go through two statements and their description below.

$statement = “SELECT * FROM users WHERE username=”manpreet” AND password = ‘mysecretpw23′”;

             STRING ENDS                            ALL COLUMNS MATCHING STRING

$statement = “SELECT * FROM users WHERE username=”$user11″ AND password 

‘$password11′”;

NON SANITISED INPUT

MANIPULATION OF SQL STATEMENTS

$statement = “SELECT * FROM users WHERE username=”admin3″; — ‘ AND password= ‘anything unusual’”;= ‘anything unusual'”;

    Removing of Sql statements                      End of statement                            

                                                                                                            Start of comments

Hence existing user gets login into database set as administrator without entering password and gets high privileges to add ,  delete, set, update data values and demolish data integrity.

DIFFERENT TYPES OF SQL INJECTION VULNERABILITY

ERROR BASED SQL INJECTION

An attack can exploit this vulnerability to update table contents. It occurs due to invalid data input in login forms.

An attacker can easily retrieve table names from visible database errors

BOOLEAN BASED SQL INJECTION

This helps attacker in verifying whether the page is vulnerable or not if not loaded properly by server. This vulnerability is exploited by running some [3] Boolean conditions in sql query input and if result is false, web server will not load full web page just signifying attacker that they can use this page for exploiting sql commands

For example:

https://example9.com/index.php?id=0+AND+IF(version()+LIKE+’5%’,true,false)

if the result will not load web page with version 5.x, attacker will use white page(blank space) for exploiting purposes

TIME BASED SQL INJECTIONS

In this attacker will set database sleep time and meanwhile if the page is not vulnerable , it can be easily loaded and data can be extracted else if it is vulnerable , it will take time to load

For example

https://example1timevul.com/index.php?id=1+AND+IF(version()+LIKE+’3%’,sleep(4),false)

OUT OF BAND SQL VULNERABILITY

In this database is injected directly with malicious inputs through web application data server which is accessed through attacker’s domain

SQL vulnerability impact

1. Depending upon privileges and permissions of user (victim), attacker can use his account to intrude into allowed depth and can add,delete,update,set record files and manipulate accordingly. It is severely handle in case of Myhealth records being maintained by Victoria government as user input validation suffers security flaws.

2. Attacker can take over complete control of cloud databases and web servers.

PREVENTIVE MEASURES

Server side scripting languages suffer from flaws as they cannot determine whether sql string is malformed or not, they just wait for response from intended data servers

Hence as on precaution side, we can run some techniques and methods to ensure preventions from exploitation of sql statements

1. USING SANITIZATION: It can be done through PHP addlashes() method ,that will help in sanitising clean variables that are being used in sql query. IT can be used for wrapping variables into functions like $getuid into escape_string_function but it implies poor coding practise and difficult to keep track of variable.

2. USING PREPARED STATEMENTS: SQL prepared statements works in a very similar way as printf() function, where statement is prepared and stored instead of assembling sql variables and then executing it. It is fed with data values and assembles itself for sanitization

Major concern is lack of knowledge among web developers and they cannot distinguish between secure and insecure sql queries. Most of the times as to cut on expenses they use outdated methods and sources which is mainly exploited

3.REGUALARLY PATCHING AND UPDATING SOFTWARES: It not only lack of knowledge or awareness but sometimes it is lack of knowledge about using box protections or advanced techniques to secure systems and coding lines(application’s source code(app. 6000 lines)) with advance patches inside ,outside application area. It should be ensure all time that applications you use like WordPress, CMS framework, Apache, My Sql , PHP PDO library should be of latest version.

4. URL BLOCKINGS AT SERVER LEVEL: It helps in preventing attackers from matching sql queries from URL and this method can be cleverly used in order to minimise vulneralizability impacts of sql injections. For example apache web server uses two rewrite lines in virtual box directives but clearly it won’t prevent hosting of POST methods or restful type URL’s

5. SECURING PRIVILEGES AND CLOUD DATABASES SECURITY: It can be ensures through least privilege for implementing information security. All Linux applications grant file permissions, so instead of granting all access on should limit to insert privileges.

6. SEGGRETIONS OF SENSITIVE AND CONFIDENTIAL DATA: For most of applications, its not wise approach to store customer credit cards details on same database as with complaint forums data, instead one should sage off sensitive data from non sensitive sets.

7. VALIDATION AND WHITELISTING is often carried out in two ways: by blacklisting dangerous or unwanted characters and by white listing only those characters that are allowed in a given circumstance, which can involve more work on the part of the programmer. Although validation may take place on the client side, hackers can modify or get around this, so it’s essential that all data is validated on the server side as well to reduce SQL injection risk [4].

8. USING STORED OROCEDURES, CLOUD BASED WAF (Web application firewalls) that minimises false positives and detect vulnerabilities before executing payload at server, using LDAP EXTENSIONS.XXL COMMANDS, WHITELISTING TECHNIQUES OVER SQL COMMANDS [5].

After successful execution of sql injections attacker can easily:

Bypass authentication:

After successful sql injections, attacker can easily logged into as administrator and enjoy full privileges without specifying credentials

.Gaining access to an unauthorised data:

He can easily access highly sensitive data not authorised to do in other case

Unauthorised data manipulations: Attacker can easily compromise data integrity by manipulating data sets or adding new records

Administrative privileges gaining: It can allow attacker to gain access privileges and take full control over databases that can further shut down or slow down data base services and adversely effecting execution of web applications. One can assume adverse effects and their consequences if the database of commonwealth bank is compromised and attacked by sql injections

 SQL INJECTION ATTACKS ON BUSINESSES

The consequence on businesses varies as per their extents of security flaws and negligence and suffers financial losses due to unawareness of attacks among their employees. According to NTT security, average cost of cyberattacks comes out to be 773, 0000 euro and it took 9 months and over for a business to recover from. Theses vulnerabilities should be considered as serious matter by all large organisations as attacks due to them leads to various other attacks like cyber attacks on OS, network assets, network resources like VPN, firewalls, Access points [6]

CONCLUSION

Sql injections not only leads to compromising cloud  databases but also leads to login bypassing and access whole data as recently attack occurred on Yahoo was the same case and it was potential loss of trust among users besides financial losses. This leads to XSS attack further as gaining privileges, attacker redirect all traffic through their new page front and in worst case it leads to DNS attack on webs server and shutting all services which was whole havoc for YAHOO!

Besides this, the best friend of attacker is google from their, they can easily access new vulnerabilities exploit in open forms through google dork. This will leads to full compromising of data integrities for crucial cloud databases[8] (banks, airports, hospitals).They can easily access directories and manipulate them for their own use in dark web side.SQL injection attacks also allow attackers to spoof identity begin identity thefts and tamper with data sets which leads to adverse effects on reputation of an organisation and full control over cloud databases can lead to more data exfilteration attacks. Injection vulnerability is commonly used with PHP, ASP applications due to API dynamically created in these languages which are easily exploited with dynamic content. So web applications should be sanitised using WAF which will scan web applications against these vulnerabilities [7].

REFERENCES

[1] G. Menegaz, “SQL Injection Attack: What is it, and how to prevent it. | ZDNet”, ZDNet, 2019. [Online]. Available: https://www.zdnet.com/article/sql-injection-attack-what-is-it-and-how-to-prevent-it/. [Accessed: 20- May- 2019].

[2]”What is SQL Injection (SQLi) and How to Prevent It”, Acunetix, 2019. [Online]. Available: https://www.acunetix.com/websitesecurity/sql-injection/. [Accessed: 20- May- 2019].

[3]”SQL Injection Cheat Sheet”, Netsparker.com, 2019. [Online]. Available: https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/. [Accessed: 20- May- 2019].

[4]W. You? and P. Rubens, “What Is SQL Injection and How Can It Hurt You?”, Esecurityplanet.com, 2019. [Online]. Available: https://www.esecurityplanet.com/threats/what-is-sql-injection.html. [Accessed: 20- May- 2019].

[5]”Web Application Firewall (WAF) | Secure Hybrid, Cloud & On-Prem | Imperva”, Products, 2019. [Online]. Available: https://www.imperva.com/products/web-application-firewall-waf/. [Accessed: 20- May- 2019].

[6]”SQL injections: used in 51% of cases by hackers | Outpost 24 blog”, Outpost24.com, 2019. [Online]. Available: https://outpost24.com/blog/SQL-injections-cyberattacks. [Accessed: 20- May- 2019].

[7]”SQL Injection Bypassing WAF – OWASP”, Owasp.org, 2019. [Online]. Available: https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF. [Accessed: 20- May- 2019].

[8]]”SQL Injection Protection in Cloud Systems”, Infosec Resources, 2019. [Online]. Available: https://resources.infosecinstitute.com/sql-injection-protection-cloud-systems/. [Accessed: 21- May- 2019].