Trustaira Blog
April 29, 2018        Trustaira Staff

The acronym SQL (pronounced SEQUEL) stands for Structured Query Language, a language for querying and editing information stored in a certain database management system. SQL was developed in the early 1970s by some people working for IBM. Short after that, in 1979, a company called Relational Software, which later became Oracle Corporation,  released its own modified version of SQL. Today, SQL is used in many products, including Microsoft’s SQL server.

Introducing SQL Injection

image-sql-injection

SQL Injection

SQL injection has been all over the place for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. The most horrible news about this vulnerability is that OWSAP treating as the number one vulnerability in ranking of “OWASP top 10”  for the last 10 years and present too. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run.

  • SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
  • SQL injection at the source of many of the high-level or well-known attacks on the internet.
  • The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data.
  • The usual cause of this type of flaws is improper or absent input validators, thus allowing code to pass unimpeded to the database without being verified.

From the attacker point of view, vulnerability to SQL injections is very easy to sense. Visiting a suspect site and getting it to generate error message can indicate a potential vulnerability to this type of attack. In addition, the availability of automated and effective tools has increased, setting the bar even lower for successful execution of the attack. Finally, this type of attack is very attractive for an attacker to perform because of the value of the information that can be obtained. Information, especially personal information, can be sold on the black market for considerable amounts of money depending on what it is.

SQL Attacks in Action

image-sql-injection-in-action

SQL Injection in Action

In 2011, Sony Corporation was the target of a SQL injection that compromised a multitude of account (estimated to be over one million emails, username, and passwords). The attack was the results of a known vulnerability that could have been discovered through pen testing.

In 2013, the U.S. Department of Energy (DoE) and the U.S Army also found themselves victims of SQL injection. The FBI revealed that a minimum of 100,000 records, including social security numbers of current and former federal employees, were compromised. In addition, 2,800 of the records obtained included bank account numbers.

When examined this attack, the FBI revealed that not only the DoE and the army were impacted NASA, the U.S missile Defense Agency, and the Environmental projection Agency were also affected. Details of these attacks have not been fully released as of this writing.

SQL injection is accomplished through the insertion of character into existing SQL commands with the intention of altering the projected behavior. The Following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.

In the following example, and attacker with the username link inserts their name after the = sign following WHERE owner, which used to include the string ‘name’; DELETE FROM items; — for itemName, into an existing SQL commands, and the query becomes the following two queries:

SELECT * FROM items

WHERE owner = ‘link’

AND itemname = ‘name’;

DELETE FROM items;–

Many of the common database products such as Microsoft’s SQL server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once, This technique, Known as batch execution, allows an attacker to execute multiple arbitrary commands against a database, in other database, this technique will generate an error and fail, so knowing the database you are attacking is essential.

If an attacker enter the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following three valid statements will be created:

SELECT * FROM items

WHERE owner = ‘link’

AND itemname = ‘name’;

DELETE FROM items;

SELECT * FROM items WHERE ‘a’ = ‘a’;

A few step to prevent SQL injection attack is to use input validation, which ensures that only approved character are accepted. Use whitelists, which dictate safe characters and blacklists, which unsafe character. And also conduct Vulnerability Assessment and penetration testing by Internal/External IT/cyber Security team or by cyber security service Provider Company for ensuring that there is no presence SQL injection related vulnerability in the web application and website, mistakenly. The internal IT/ cyber security team can use AppSpider, Accunetix, brupsuite and Metasploit pro for the Vulnerability Assessment and penetration testing purpose.

Results of SQL Injection

image-results-of-sql-inection

Results of SQL Injection

What can be accomplished as a result of a SQL injection attack? Well, there are a huge number of possibilities, which are limited only by the configuration of the system and the skill of the attacker.

If an attacker is successful, a host of problems could result. Consider the following simple of the potential outcomes:

  • Identity spoofing through manipulating database to insert bogus or misleading  information such as email addresses and contact information
  • Alteration of prices in e-commerce applications. In this attack, the intruder once again alters data but does so with the intention of changing price information in order to purchase products or services at a reduced rate.
  • Alternation of data or outright replacement of data in existing database with information created by the attacker.
  • Escalation of privileges to increase the level of access an attacker has to the system, up to and including full administrative access to the operating system
  • Denial of service, performed by flooding the server with request designed to overwhelm the system
  • Data extraction and disclosure of all data on the system through the manipulation of the database
  • Destruction of corruption of data through rewriting, altering, or other means
  • Eliminating or altering transactions that have been or will be committed

Don’t forget one of the most valued pieces of information that can be obtained through a SQL injection, personally identifiable information (Pll). Disclosure of Pll is a massive problem when it occurs, and therefore it should never be taken lightly. Be aware of what you are storing in the database and its sensitivity. Store only those things that need to be stored and nothing else. For example, if you don’t have a reason to store credit card data, don’t! If you don’t have a reason to ask for social security numbers, don’t! storing this information places huge amounts of responsibility and liability on your shoulders should you lose control of it to an unauthorized third party.

Stay cautious, stay safe.