Introducing SQL Injection
SQL injection has been around for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run. In the real world this attack has proven dangerous because many developers are either not aware of the threat or don’t understand its seriousness. Developers should be aware that:
- SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
- SQL injection is at the source of many of the high-level or well-known attacks on the Internet.
- The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data. • The usual cause of this type of flaw is improper or absent input validation, thus allowing code to pass unimpeded to the database without being verified.
SQL Attacks in Action
In 2011, Sony Corporation was the victim of a SQL injection that compromised a multitude of accounts (estimated to be over one million e-mails, usernames, and passwords). The FBI revealed that a minimum of 100,000 records, including Social Security numbers of current and former federal employees, were compromised. Additionally, 2,800 of the records obtained included bank account numbers. When investigating this attack, the FBI revealed that not only the DoE and the Army were impacted; NASA, the U.S. Missile Defense Agency, and the Environmental Protection Agency were also affected. Details of these attacks have not been fully released as of this writing. SQL injection is achieved through the insertion of characters into existing SQL commands with the intention of altering the intended behavior. The following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.
In the following example, an attacker with the username link inputs for the original code after the = sign in WHERE owner which used to include the string ‘name’; DELETE FROM items; — for itemName into an existing SQL command, and the query becomes the following two queries:
SELECT * FROM items WHERE owner = 'link' AND itemname = 'name'; DELETE FROM items;--
Many of the common database products such as Microsoft’s SQL Server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once. This technique, known as batch execution, allows an attacker to execute multiple arbitrary commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.
If an attacker enters the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following three valid statements will be created:
SELECT * FROM items WHERE owner = 'link' AND itemname = 'name'; DELETE FROM items; SELECT * FROM items WHERE 'a' = 'a';
A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.
Results of SQL Injection
What can be accomplished as a result of a SQL injection attack? Well, there are a huge number of possibilities, which are limited only by the configuration of the system and the skill of the attacker.
If an attack is successful, a host of problems could result. Consider the following a sample of the potential outcomes:
- Identity spoofing through manipulating databases to insert bogus or misleading information such as e-mails and contact information.
- Alteration of prices in e-commerce applications. In this attack, the intruder once again alters data, but does so with the intention of changing price information in order to purchase products or services at a reduced rate.
- Alteration of data or outright replacement of data in existing databases with information created by the attacker.
- Escalation of privileges to increase the level of access an attacker has to the system, up to and including full administrative access to the operating system.
- Denial of service, performed by flooding the server with requests designed to overwhelm the system.
- Data extraction and disclosure of all data on the system through the manipulation of the database.
- Destruction or corruption of data through rewriting, altering, or other means.
- Eliminating or altering transactions that have been or will be committed
Next up will be all about the anatomy of a SQL Injection and Database vulnerabilities.