Riji Jacob MS Student in Computer Science SQL Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris Many of the Web applications employ database driven content on the Internet. yahoo, Amazon The interactive nature of web applications that employ database services consist vulnerabilities to SQL injection attacks Web applications receive user inputs via form fields and then transfer those inputs as database requests Transaction may consist of user name, password and information that have large amounts of monetary value. A national security and privacy matter, such as social security numbers in the U.S. SQL injection attacks are widespread and Web applications are vulnerable to SQL Injection Attacks (SQLIAs). over 300 Internet Web sites has shown that most of them could be vulnerable to SQLIAs- Study by Gartner Group SQLIA Examples: Travelocity, FTD.com, and Guess Inc. SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application Data provided by the user is NOT validated and included in an SQL query in such a way that part of the user’s input is treated as SQL code. Tautologies Illegal/Logically Incorrect Queries Union Query Piggy-Backed Queries Stored Procedures Inference Alternate Encodings Attack Intent: Bypassing authentication, identifying injectable parameters, extracting data. The general goal of a tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true. An attacker exploits an injectable field that is used in a query’s WHERE conditional SELECT accounts FROM users WHERE login=’’ or 1=1 -- AND pass=’’ AND pin= Attack Intent: Identifying injectable parameters, performing database finger-printing, extracting data. Description: This attack lets an attacker gather important information about the type and structure of the back-end database of a Web application. SELECT accounts FROM users WHERE login=’’ AND pass=’’ AND pin= convert (int,(select top 1 name from sysobjects where xtype=’u’)) Attack Intent: Bypassing Authentication, extracting data. Description: In union-query attacks, an attacker exploits a vulnerable parameter to change the data set returned for a given query. SELECT accounts FROM users WHERE login=’’ UNION SELECT cardNo from CreditCards where acctNo=10032 -- AND pass=’’ AND pin= Attack Intent: Extracting data, adding or modifying data, performing denial of service, executing remote commands. Description: In this attack type, an attacker tries to inject additional queries into the original query. Vulnerability to this type of attack is often dependent on having a database configuration that allows multiple statements to be contained in a single string. SELECT accounts FROM users WHERE login=’doe’ AND pass=’’; drop table users -- ’ AND pin=123 Attack Intent: Performing privilege escalation, performing denial of service, executing remote commands. Description: SQLIAs of this type try to execute stored procedures An attacker determines which backend database is in use CREATE PROCEDURE DBO.isAuthenticated @userName varchar2, @pass varchar2, @pin int AS EXEC("SELECT accounts FROM users WHERE login=’" +@userName+ "’ and pass=’" +@password+ "’ and pin=" +@pin); GO Attack Intent: Identifying injectable parameters, extracting data, determining database schema. Description: The query is modified to recast it in the form of an action that is executed based on the answer to a true/false question about data values in the database. Attackers are generally trying to attack a site that has been secured enough so that, when an injection has succeeded, there is no usable feedback via database error messages. SELECT accounts FROM users WHERE login=’legalUser’ and ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X WAITFOR 5 -- ’ AND pass=’’ AND pin=0 Attack Intent: Evading detection. Description: In this attack, the injected text is modified so as to avoid detection by defensive coding practices and also many automated prevention techniques. SELECT accounts FROM users WHERE login=’legalUser’; exec(char(0x73687574646f776e)) -- AND pass=’’ AND pin=tion with other attacks. * Apply Instruction-set randomization to SQL * Creating instances of the language that are unpredictable to the attacker * Queries injected by the attacker will be caught by the database parser. * An intermediary proxy that translates the random SQL to its standard language. * Mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems. Mechanism provides a tool reads an SQL statement(s) and rewrites all keywords with the random key appended. select gender, avg(age) from cs101.students where dept = %d group by gender The utility will identify the six keywords in the example query and append the key to each one (e.g., when the key is “123”): select123 gender, avg123 (age) from123 cs101.students where123 dept = %d group123 by123 gender Built proxy server that sits between the client (web server) and SQL server, de-randomizes requests received from the client, and conveys the query to the server. If an SQL injection attack has occurred, the proxy’s parser will fail to recognize the randomized implementation focused on CGI scripts as the query generators, a similar approach applies when using JDBC query and will reject it. THANK YOU