International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 9 - Apr 2014
Data Base Hacking: SQL Injection Method and its Prevention
1,2
Alla Chandra Sekhar Reddy1, S K.Riaz2
Department of Computer Science & Engineering, K L University,
Koneru Lakshmaiah Education Foundation,
Vaddeswaram Post, Andhra Pradesh, India-522502.
ABSTRACT : As the services of internet rapidly
increases people are dependent on internet for
different purposes. The applications which are
developing using web applications i.e.; online
shopping, train reservation, paying bills. These
web applications require database which is used to
retrieve the relevant data supplied by the user, here
data base acts as a backend and web application
acts as front end. As there is increase of web
applications there is also an increase in web
security which is one of the most challenge parts of
web applications and data base. There are number
of techniques which are used for securing the web
application. The most common one is
authentication process in which the user gives the
input in the form of username and password. The
problem in authentication process is the input
validation checking.
Keywords –defences, SQL injection, security
testing,
I.
INTRODUCTION
The major threads in web application security are
SQL injection, buffer over flow and denial of
service (DOS).Structured query language (SQL) is
a query language or textual language which is used
to interact with relational database management
system.SQL injection is much vulnerable that it can
bypass many traditional firewalls and intrusion
detection system.SQL injection attack represents a
serious threat to any database driven site. These
applications takes input from the user and use them
in the form of SQL statements at runtime. The one
of the most web application vulnerable is SQL
injection and SQL injection is one of the easiest
attacks where even a developer can easily do SQL
injection. So, this is one of the disadvantages of
SQL injection.
II.
III.
DATABASE HACKING
Hacking a database means altering or manipulating
the contents of database i.e. manipulate database
contents say CSS or Java scripts. The files of a
particular site are stored on a computer somewhere
called as a database or the server. Where the
configuration is different compared to your home
pc. The database stores large amount of data which
is used to retrieve different information required for
different clients at different places. You can view
files (read) and you can also change them (write).
Everyone has read access. They can view your
files, but they are never, ever supposed to be able
to change them, delete them, or add new ones.
Hacking takes place when somebody gets through
these security systems and obtains write access to
the server or the database. Once they obtain that,
they can change, add, or delete files however they
want.
IV.
SQL INJECTION EXAMPLE
Whenever a web site user enters data in to a form
on a particular site a SQL query is generated and
delivered to the database. In this case a simple
logon form the user name and password is
presented to the database and if valid, the database
responds with an answer and user is allowed
access.so,it is a simple form or web process, where
database access is required and a response is
expected. But when using a SQL injection the
attacker will try to enter a specifically crafted SQL
commands into a form field instead of the expected
information. The intent of a user to secure a
response from the database that will help the
hacker to understand the database construction.
BACKGROUND
A particular language is used to retrieve data from
web application to database.SQL is used to retrieve
the
particular
data
according
to
user
specification.sql injection attack mainly occurs due
to insecure coding practices. The legitimate user
uses SQL statement in such a way to execute data
base which the malicious code is supplied by the
attacker.
ISSN: 2231-5381
These are the following things occur from SQL
injection:
1. The user can easily log in to another users
application, even as an administrator.
http://www.ijettjournal.org
Page 441
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 9 - Apr 2014
2. The user can view private information and
secure information belonging to other users e.g.
ATM pin number and transactions.
3. The user can change application configuration
information like the system data of the other users.
4. The user can delete tables in the application
database or modify the structure of the database.
5. The user can take control of the database server
as like a hacking of the database and execute
commands on it like a database administrator.
V.
TYPES OF ATTACKS
The above screenshot shows the example of online
banking where different users can access the
facilities like opening new a\c,money transfer,
viewing a/c balance, downloading bank statements
etc are the different operations performed in online
banking.
Here security of the customer’s financial
information is very important because as the
technology increases the number of attacks also
increases. Attacks on online banking used today are
based on deceiving the user to steal login data
Tautology attacks:
The main goal of tautology based attacks is
conditional statements that are always to true.
Tautology attacks are successful when it retrieves
the records of tables or at least one of the records.
Eg. SELECT accounts FROM user WHERE
login=”or1=1—AND pass=” AND pin=
Logically incorrect query attacks:
This attack is used to know the structure of the
database and the type of backend database used.
E.g. SELECT accounts FROM users WHERE
login=” AND Pass=” AND pin=convert (int,
(select top 1 ame from Sys objects where x
type=’u’))
Union Attack:
In union query the attacker uses the union operator.
The attacker can query to retrieve the information
from any desired location of the database. The
result is returned in the form of dataset. Which is
the combination of original query and the second
query.
E.g. SELECT accounts FROM users WHERE
login=”UNION SELECT cardno from creditcards
where AcctNO=100 -- AND pass=” AND pin=
The above screenshot shows the example of bill
payment through online banking where there is a
possibility of SQL injection attack to take place
.here in the bill payment details the attacker can
introduce SQL injection attack by the description
field where the user post his comments there,
where the attacker can post SQL injection.
VI.
Piggybacked Query:
In this type of attack the attacker injects extra query
instead of original query named as piggybacked.
TESTING
Application testing plays an important role where
an SQL injection attack takes place. Security
testing is the process that determines the
confidential data stays confidential and users can
perform only those tasks that they are authorized to
perform. Its tester responsibility to run SQL
injection testcases.the whole testing team must take
the responsibility to secure application against such
attacks.
VII.
CONCLUSION
Different firewalls and intrusion detection system
provides a little defense against web attacks. Even
though the Usage of web application has become
very important now a day. The Security issues are
not that much convincing, so the application
developers must take care by patching the code
thoroughly during the development stage only.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 442
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 9 - Apr 2014
Security testing should be done thoroughly so that
the main SQL injection takes places in the text
fields, input fields which made part of test plan
depending type of data it is dealing with say crucial
personnel information which is high importance to
the organization.
REFERENCES
[1]Shubham Shrivastava,Rajeev Ranjan Kumar Tripathi,
“Attacks Due to SQL injection & their Prevention Method for
Web-Application”, International Journal of Computer Sciecne
and information technologies, Vol 3 (2), pp.3615-3618, 2012.
[2]W. Halfond, S. Anand, and A. Orso, “Precise Interface
Identification to Improve Testing and Analysis of Web
Applications,”Proc.18th Int’l Symp. Software Testing and
Analysis, pp. 285-296, 2009.
[3]Dhafer Thabe,” Toward Situational Secure Web Services
Design Methods”, IEEE International Conference on Web
Services, 2007.
[4]Y. Huang, S. Huang, T. Lin, and C. Tsai. A Testing
Framework for Web Application Security Assessment.
Journal of Computer Networks, Volume: 48 Issue: 5, Pp:
739-761, 2005.
[5]MeiJunjin: “An approach for SQL injection
vulnerability detection”. 2009 Sixth International
Conference on Information Technology: New Generations.
[6]Angelo Ciampa, Corrado Aaron Visaggio,Massimiliano Di
Penta :”A heuristic-based
approach for detecting SQL-injection vulnerabilities in Web
applications”.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 443