SQL Injection in Web Application: A Review
Sangeeta1
1
MTech, Computer Science, DCRUST, Sonipat, Haryana, India
Abstract: In the Web environment, end user privacy is one of the most controversial legal issues. When an
internet user interacts in web environment by surfing the Net, sending electronic mail messages and
participating in online forums lot of data is generated which may have user’s private information. If this
information is captured by third party tools and techniques, it may cause a breach in end user privacy. In the
Web environment, end user privacy is one of the most controversial legal issues. Web applications are
developed using various languages like PHP, C#, ASP.NET, PERL using scripts like HTML and JavaScript.
The main cause of this type of attacks is poor coding by the developers. Actually, an attacker intrudes to the
web application database and consequently, access to data. For stopping this type of attack different
approaches have been proposed by researchers but they are not enough because usually they have limitations.
Indeed, some of the approaches have not implemented yet and also most of implemented approaches cannot
stop all type of attacks.
Keywords: SQL Injection, SQL Injection Attacks, Detection and Prevention Techniques
Introduction
Web application can have sensitive and confidential data which is stored in database. Web Applications accept the
data from the users. This data is retrieved from the database through the queries. SQL Injection attack is one of the
most popular attacks used in system hacking or cracking. Web applications can be harmed by SQL INJECTION
ATTACK. Using SQL INJECTION ATTACK attacker can gain information or have unauthorized access to the
system. When attacker gains control over web application maximum damage is caused. To insert, retrieve, update, &
delete the data from database SQL language is used. When we enter data in the input fields it becomes part of the
SQL query written at the backend. For example, to login in our inbox, we provide login id and password. The login id
and password form the part of the internal SQL query. Then the SQL query is executed on the database to check
whether the login credentials provided match with those present in the tables on the database. The attacker, who wants
to gain access to the inbox, provides injected code instead of correct input in the input fields of the web application.
This injected code changes the structure of the original SQL query and consequently, allows the attacker to gain
access to the information it was not authorized for. This type of attack which allows the attacker to alter the original
SQL query by adding the injected SQL code in the input field is known as SQL Injection Attack SQLIA).[1].
Categories of Sql Injection Attack
The injection attacks are divided into three categories. [2].
First order attack- By entering malicious string in input field of web application original SQL query is modified and
modified code is executed immediately.
* Unions added to an existing statement to execute a second statement.
* Sub query added to an existing statement.
* Existing SQL short-circuited to bring back all data (for example, adding a query condition such as OR 1=1)
The second order attack- The trusted source such as persistent storage is injected by an attacker as another activity
is executed by an attack. The malicious database object is created by attacker such as function called as part of an API
or spitefully named table to introduce dangerous constructs by using double quotation marks.
Lateral Injection-The implicit functions can be manipulated by attacker by changing environmental variables. The
PL/SQL procedure that does not take user input can be exploited by an attacker. The risk of injection arises when
variable whose data type is date or number is concatenated into text of SQL statement.
Using NLS_Date_format or NLS_Numeric_characters, the implicit function TO_CHAR can be manipulated
SQL Injection Attack Types
SQLIAs are introduced only via user input that is submitted as part of a Web form. Once attackers have identified an
input source [3, 4] that can be used to exploit an
SQLIA vulnerability, there are many different types of attack techniques that they can leverage. Depending on the
type and extent of the vulnerability, the results of these
Attacks can include crashing the database, gathering information about the tables in the database schema, establishing
covert channels, and open-ended injection of
virtually any SQL command. For a successful SQLIA the attacker should append a syntactically correct command to
the original SQL query. [5] There are several types of attack[6,7].
1. Tautologies: This type of attack injects SQL tokens to the conditional query statement to be evaluated always true.
It is the simplest and best known types of SQLIAs. The general goal of a tautology based attack is to inject SQL
tokens that cause the query's conditional statement to always evaluate to true. The conditional logic is evaluated as the
database scans each row in the table. If the conditional represents a tautology, the database matches and returns all of
the rows in the table as opposed to matching only one row, as it would normally do in the absence of injection. An
example of a tautology based SQLIA:
Original query: Select salary from employee where empid =„abc‟ and pwd=„xxxxx‟
Injected query: Select salary from employee where empid=„‟ or 1=1--‟ and pwd=„not required‟
Result: It returns salary of all employees from employee table.
Tautology statement is attached to the conditional statement (i.e.1=1‟) so that it evaluates to true always. Here where
clause is vulnerable in SQL query.
2. Statement InjectionOriginal query is altered by injecting new SQL query to the original SQL query.
Example:
Original query: Select salary from employee where empid=„abc123‟ and pwd=„xxxxx‟
Injected query: Select salary from employee where empid=„‟; Delete from employee where empid=„abc123‟--‟and
pwd=„not required‟
Result: Record of employee “abc” is deleted.
3. Illogical/Incorrect queriesIn order to gather information about the internal database structure of application, the attacker deliberately inputs
incorrect information in the input fields. The attacker gains the information through the displayed error.
Example:
Original URL: www.samsung.com/proucts?id=23
4. Union queryThe injected query is joined with the injected query by using SQL keyword, UNION, to gather the information from
the tables.
Example:
Original Query: select salary from employees where empid=„abc123‟
Injected Query: select salary from employees where empid=„abc123‟ UNION select * from employee‟
Result: It gives records of all employees from employee.
5. Alternate Encoding:
To inject the code, the attacker inserts alternate encoding like ASCII, Unicode, EBCDIC and Hexadecimal to bypass
the validation on input.
Example:
Original Query: select * from employee where empid =„abc123‟ and pwd=„xxx‟
Injected Query: select * from employee where empid =„; exec (char (0x73687574646f776e))--‟ and pwd=„not
required‟.
Result: The hexadecimal value for the SHUTDOWN is passed To the char () function. This code will execute the
SHUTDOWN command and bypass the input validation.
SQL Injection Detection And Prevention Techniques
There are many ways to prevent SQL Injection attacks [8, 9,10] Prevention concerns with correctness of input value
which is supplied by client or user at coding level. These
techniques force the client to enter correct data and can be barred to enter illegal value which is harmful to database
server. Such type of prevention can be done at both sides whether it may be client side or server side but SQL
injection cannot be prevented with this technique. The tools and techniques for detecting and preventing SQL
injection are given below:
1. Runtime Monitoring Technique [11]: AMNESIA technique is used for detecting SQL injection attacks over the
web application. These technique works on both static approach and runtime monitoring. It detects injected query
before executed on the database server using model based approach. This approach have two part static part which
automatically builds a legal queries using program analysis on the other hand in dynamic part it dynamically
generates the queries against statically build queries using runtime monitoring. If queries violate the approach then
this approach prevents the execution of the queries on the database server. This technique has four steps for
preventing injection Identify the hotspot, Build SQL-query models, Instrument application, Runtime monitoring.
2. Detection by Feature of Single Character [12]: This technique use sigmoid function for detecting SQL injection
attacks. This detection algorithm of SQL injection attack is based on single character. When the SQL character
string is the SQL Injection, it calls an attack character string. This approach minimizes the predictive error in SQL
injection
attack detection.
3. Tautology Checker[13]: This technique is proposed by G. Wassermann and Z. Suo They used static analysis to
prevent tautology attack.
4. SQLIPA [14]: This approach is proposed by Shaukat Ali, Azhar Rauf et al. In this approach they used hash value
to improve performance of authentication for web
Application. This hash value for username and password is created at runtime when user account is created.
5. SQL Dom Approach [15]: According to this approach [15] CLI (call level interface) mechanism is introduced
between application and database such as ODBC and IDBC and SQLCLIENT. These providers contain strong type
class to database. These solutions contain SQL domain which is performed against database. It generates the
dynamic link library, by applying this method compiler is res possible to removes the possibility of the error like
SQL syntax error, data type comparison error. SQL DOM forces the user to write the correct code which is checked
at compile level.
Conclusion
This paper presents a wide survey of the SQL Injection attacks and also describes how attacks are implemented on
the database using SQL queries. The attacks are also categorized. Apart from this different SQL Injection detection
and prevention techniques are also discussed.
References
[1]. Noah Singh,Ravindra Kumar Purwar, SQL Injection –A Hazard To web applications, International Journal of Advanced
Research in computer Science and Software Engineering,vol.2,Issue 6,June 2012,pp. 42-46.
[2]. Nilesh Khochare, Santosh Kakade and B.B.Meshramm, Survey on SQL Injection attacks and their Countermeasures, IJCEM
international Journal of Computational Engineering & Management, ISSN(Online):2230-7893,vol.14,October 2011,111114.
[3]. W.R. Cook and Sprain, "Safe Query Objects: Statically Typed Objects as Remotely Executable Queries," Proc. 27th Int'l
Con f. Software Eng., May 2005.
[4]. C. Alley, "Advanced SQL Injection in SQL Server Applications," white paper, Next Generation Security Software, 2002.
[5]. W. G. Hal fond, J. Viejas and A. Orso, “A Classification of SQL Injection Attacks and Countermeasures,” College of
Computing Georgia Institute of Technology IEEE, 2006.
[6]. Atefeh Tajpour, Suthaimi, Maslin Masrom. “SQL Injection Detection and Prevention Techniques” In Proc. International
Journal of Advancements in Computing Technology Volume 3, Number 7, August 20 II.
[7]. Diallo Abdoulaye Kindy and AI-Shakib Khan Pathan, "A Survey On SQL Injection: Vulnerabilities, Attacks And
Prevention Techniques" IEEE 15'h International Symposium on Consumer Electronics 20 II.
[8]. W. G Halfond, .T. Viegas, and A. Orso.” A Classification of SQL injection Attacks and Countermeasures”. In Proc. of the
Intel Symposium on Secure Software Engineering, Mar. 2006.
[9]. Atefeh Tajpour, Suthaimi, Maslin Masrom. SQL Injection Detection and Prevention Techniques .In Proc. International
Journal of Advancements in Computing Technology Volume 3,Number 7, August 20 II.
[10]. Diallo Abdoulaye Kindy And AI-Shakib Khan Pathan,"A Survey On SQL Injection: Vulnerabilities, Attacks And
Prevention Techniques" IEEE
[11]. William GJ. Hal fond and Alessandro Orson," Preventing SQL Injection Attacks Using AMNESIA" ICSE'06, May 20-28,
IEEE International Conference on 2006, Shanghai, China ACM 06/0005
[12]. Takeshi Matsuda, Daikon Koizumi, Macho Sonora, Shigeichi Hires, "On predictive errors of SQL injection attack detection
by the feature of the single character" Systems, Man, and Cybernetics (SMC), 20 II IEEE International Conference on 9-12
Oct 2011, On Page 1722-1727.
[13]. G Wassermann and Z. Sue: An Analysis Framework for Security in Web applications” In Proceedings of the FSE Workshop
on Specification and Verification of Component-Based Systems (SAVCBS 2004), pp. 70-78.
[14]. Shaukat Ali, Azhar Rauf, Hum a Javed. “SQLlP: An Authentication Mechanism against SQL Injection” In Proc. European
Journal of Scientific Research ISSN 1450-216X Vol.38 No.4 (2009), pp. 604-611.
[15]. RA. McClure, and lb. Kruger, "SQL DOM: compile time checking of dynamic SQL statements," Software Engineering,
2005. ICSE 2005. Proceedings. 27th International Conference on, pp. 88- 96, 15-21 May 2005.