What is it?
SQL
Injection is one of the many web attack mechanisms used by hackers to
steal data from organizations. It is perhaps one of the most common
application layer attack techniques used today. It is the type of attack
that takes advantage of improper coding of your web applications that
allows hacker to inject SQL commands into say a login form to allow them
to gain access to the data held within your database.
In
essence, SQL Injection arises because the fields available for user
input allow SQL statements to pass through and query the database
directly.
Threat Modeling
- SQL
injection attacks allow attackers to spoof identity, tamper with
existing data, cause repudiation issues such as voiding transactions or
changing balances, allow the complete disclosure of all data on the
system, destroy the data or make it otherwise unavailable, and become
administrators of the database server.
- SQL Injection is very
common with PHP and ASP applications due to the prevalence of older
functional interfaces. Due to the nature of programmatic interfaces
available, J2EE and ASP.NET applications are less likely to have easily
exploited SQL injections.
- The severity of SQL Injection attacks
is limited by the attacker’s skill and imagination, and to a lesser
extent, defense in depth countermeasures, such as low privilege
connections to the database server and so on. In general, consider SQL
Injection a high impact severity.
Is my database at risk to SQL Injection?
SQL
Injection is one of the most common application layer attacks currently
being used on the Internet. Despite the fact that it is relatively easy
to protect against SQL Injection, there are a large number of web
applications that remain vulnerable.
According
to the Web Application Security Consortium (WASC) 9% of the total
hacking incidents reported in the media until 27th July 2006 were due to
SQL Injection. More recent data from our own research shows that about
50% of the websites we have scanned this year are susceptible to SQL
Injection vulnerabilities.
It
may be difficult to answer the question whether your web site and web
applications are vulnerable to SQL Injection especially if you are not a
programmer or you are not the person who has coded your web
applications.
Our experience leads us to believe that there is a significant chance that your data is already at risk from SQL Injection.
Whether
an attacker is able to see the data stored on the database or not,
really depends on how your website is coded to display the results of
the queries sent. What is certain is that the attacker will be able to
execute arbitrary SQL Commands on the vulnerable system, either to
compromise it or else to obtain information.
If improperly coded, then you run the risk of having your customer and company data compromised.
What
an attacker gains access to also depends on the level of security set
by the database. The database could be set to restrict to certain
commands only. A read access normally is enabled for use by web
application back ends.
Even if an attacker is not able to modify the system, he would still be able to read valuable information.
What is the impact of SQL Injection?
Once
an attacker realizes that a system is vulnerable to SQL Injection, he
is able to inject SQL Query / Commands through an input form field. This
is equivalent to handing the attacker your database and allowing him to
execute any SQL command including DROP TABLE to the database!
An
attacker may execute arbitrary SQL statements on the vulnerable system.
This may compromise the integrity of your database and/or expose
sensitive information. Depending on the back-end database in use, SQL
injection vulnerabilities lead to varying levels of data/system access
for the attacker. It may be possible to manipulate existing queries, to
UNION (used to select related information from two tables) arbitrary
data, use subselects, or append additional queries.
In
some cases, it may be possible to read in or write out to files, or to
execute shell commands on the underlying operating system. Certain SQL
Servers such as Microsoft SQL Server contain stored and extended
procedures (database server functions). If an attacker can obtain access
to these procedures, it could spell disaster.
Unfortunately
the impact of SQL Injection is only uncovered when the theft is
discovered. Data is being unwittingly stolen through various hack
attacks all the time. The more expert of hackers rarely get caught.
Example of a SQLInjection Attack
Here is a sample basic HTML form with two inputs, login and password.
<form method="post" action="http://testasp.vulnweb.com/login.asp">
<input name="tfUName" type="text" id="tfUName">
<input name="tfUPass" type="password" id="tfUPass">
</form>
The easiest way for the login.asp to work is by building a database query that looks like this:
SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password’
If
the variables $username and $password are requested directly from the
user's input, this can easily be compromised. Suppose that we gave "Joe"
as a username and that the following string was provided as a password:
anything' OR 'x'='x
SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'
As
the inputs of the web application are not properly sanitised, the use
of the single quotes has turned the WHERE SQL command into a
two-component clause.
The 'x'='x' part guarantees to be true regardless of what the first part contains.
This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!
How do I prevent SQL Injection attacks?
Firewalls
and similar intrusion detection mechanisms provide little defense
against full-scale web attacks. Since your website needs to be public,
security mechanisms will allow public web traffic to communicate with
your databases servers through web applications. Isn’t this what they
have been designed to do?
Patching
your servers, databases, programming languages and operating systems is
critical but will in no way the best way to prevent SQL Injection
Attacks.
