(CPSC620) Sanjay Tibile Vinay Deore

Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References

Database : A database is an organized collection of data for one or more purposes in digital form. SQL : It is a programming language designed for managing data in relational database management systems (RDBMS).

SQL Injection: SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to dump the database content to the attacker. Many web applications take user input from a form, Often this user input is used literally in the construction of a SQL query submitted to a database.

Examples : Brute-force password guessing SELECT , passwd, login_id, full_name FROM members WHERE = AND passwd = 'hello123'; The database isn't readonly SELECT , passwd, login_id, full_name FROM members WHERE = 'x'; DROP TABLE members; Adding a new member SELECT , passwd, login_id, full_name FROM members WHERE = 'x'; INSERT INTO members (' ','passwd','login_id','full_name') VALUES Friedl'); Mail me a password SELECT , passwd, login_id, full_name FROM members WHERE = 'x'; UPDATE members SET = WHERE =

Types  Incorrect Type Handling  Poorly Filtered Strings  White Space Multiplicity tackers get hold of the error information

Using SQL injections, attackers can  Add new data to the database Could be embarrassing to find yourself selling some inappropriate items on your site Perform an INSERT in the injected SQL  Modify data currently in the database Could be very costly to have an expensive item suddenly be deeply ‘discounted’Perform an UPDATE in the injected SQL  Often can gain access to other user’s system capabilities by obtaining their password

Examples:  In January 2008, tens of thousands of PCs were infected by an automated SQL injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store.  On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised by TinKode using SQL blind injection.  In August, 2011, Hacker Steals User Records From Nokia Developer Site using "SQL injection“.  Sony Playstation user data compromised.

DefensesPrivilege Restrictions  Restrict functions that are not necessary for the application  Use stored procedures for database access  use stored procedures for performing access on the application's behalf, which can eliminate SQL entirely.

More Defenses  Check syntax of input for validity Many classes of input have fixed languages addresses, dates, part numbers, etc. Verify that the input is a valid string in the language Sometime languages allow problematic characters (e.g., ‘*’ in addresses); may decide to not allow these If you can exclude quotes and semicolons that’s good  Have length limits on input  Many SQL injection attacks depend on entering long strings

 Limit database permissions and segregate users  Even a "successful" SQL injection attack is going to have much more limited success.  Isolate the webserver  For instance, putting the machine in a DMZ with extremely limited pinholes.

Configure database error reporting Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.) Configure so that this information is never exposed to a user If possible, use bound variables Some libraries allow you to bind inputs to variables inside a SQL statement PERL example (from $sth = $dbh->prepare("SELECT , userid FROM members WHERE = ?;"); $sth->execute($ );

References:-  injection.html injection.html  us/library/ms aspx us/library/ms aspx  se.sql-injection.php se.sql-injection.php  n n