Introduction SQL Injection is a very old security attack. It

first came into existence in the early 1990'sex: ”Hackers” movie hero does SQL Injection

to hack into the databaseSQL injection is still pervasive. One of the

security magzine claimed that more than a million sites are still vulnerable to SQL Injections

What is SQL Injection Attack?Definition: Injecting SQL statements in to the

vulnerable spots with a malicious intentionIt refers to one of the code injection attacks

where in data provided by the user is included in a SQL query such that part of the user’s input is treated as SQL code.

Most of the cyber crimes are pertaining stealing credit card numbers and stealing money using SQL Injection in the wake of this decade.

Attack intentsExtracting dataAdding or modifying dataPerforming Denial-Of-Service attackBypassing authenticationPrivilege escalation, etc

Injection MechanismsInjection through user inputsInjection through cookiesInjection through server variablesSecond order injection

Vulnerability The query behind such a login screen will beSELECT *FROM USERSWHERE username=‘”+usrname+”’ and password=‘”+pass+”’;

If the user enters username as x’ or 1=1- - and anything as password.

The statement that will be evaluated is, SELECT *FROM USERSWHERE username=‘x’ or 1=1 - -’ and password=‘anything’;This query will be true for each and every tuple of the table and the attacker will be successful in logging into the application as administrator (first user in the table).

Any tautology works1 OR 1=11' OR '1'='1x' OR greg LIKE '%re%'admin' OR 1<4admin' OR 4>2x' OR 'select' > 's'x' OR 'select' < x'

Blind SQL Injection Attack

In this attack cracker/hacker tries to enter wrong data deliberately to figure out the database structure and its properties

www.site.com/userid=22'

or

www.site.com/userid=22 or 1=1 UNION select null, null, null, null.......

Denial of ServiceIf the attacker gives input as

“ ’ ; SHUTDOWN; - -”The query will be

SELECT *FROM USERSWHERE username=’ ‘; SHUTDOWN; - -’ and password=‘anything’;The database gets shutdown and which will lead to a DoS attack on the web application.

Evasion TechniquesWhite space manipulation

the white spaces can be replaced by tab, carriage return or line feed, which goes undetected by any firewall, IDS,etc

Comment exploitationThe sql style comment - - is detected by a no of

applications these days, but it can be replaced by C style comment /**/. Eg UN/*comment*/ION, the sql parsing engines nowadays strip off all comments before submitting query for execution, thus evasion can be done.

Encoding techniquesThe easiest method of defeating detectionMost common encodings are

URL encoding Unicode/UTF-8Hex encodingchar() function

Mitigation TechniquesThe root cause of SQL injection

vulnerabilities is insufficient input validation.The mitigation can be Defensive coding

practices likeInput type checkingEncoding of inputsPositive pattern matchingIdentification of all input sourcesThis the best way of preventing SQLIAs but its

application is problematic in practice.

Use static analysis and also runtime analysisHave java script to validate input at the client

sideThoroughly parse all the statements that are

generated at the runtime using tools like AMNESIA

Demo on a real website

Praveenkumar G Hoolimath10IT16F

IntroductionIt is a specification based approach,

specifications here are the different types of queries that the web application is expected to execute.

These specifications help to build rules.The SQL queries will be intercepted and

checked with these rules.The queries violating these rules will be

discarded.

Different phasesPhase 1: Definition of specifications (using EBNF)Phase 2: Interception of SQL statementsPhase 3: Lexical analysisPhase 4: Syntactical verification of SQL

statementsPhase 5: Forwarding valid SQL statements to the

databasePhase 6: Logging

System Architecture

Specification using EBNFSELECT *FROM UserWHERE userid=‘”+username+”’ and

password=‘”+pass+”’;

<Query specification> := SELECT <Select List> <From Clause> <Where Clause>

<Select List> := <Table Column> (<COMMA> <Table Column>)*

<From Clause> := FROM <Table reference><Where Clause> := WHERE <search condition>

AND <search condition><search condition> := <Table Column> "="

<STRING LITERAL>

Salient FeaturesIt prevents all forms of SQL injection attacksIts effectiveness is independent of any

particular target system, application environment, or DBMS

There is no need to modify the source code of existing web applications to apply the new protection scheme to them.

Vasanth Raja10IT05F

SQL PARSE TREE VALIDATIONThe solution is based on validation at run

time. Checks the statement structure before the

inclusion of the user input and after the inclusion of user input.

SQL PARSE TREE VALIDATION(2)This method aims at 1) Minimizing the effort required by the

programmer2) Eliminate the possibility of the attack3) Minimize the runtime overhead

SELECT * FROM users WHERE username=? AND password=?

After including user input

This method is not disallowing the program from using tautologies. Eliminating tautologies is not the goal

Let the tautology be there in the user input but find the structure at run time and stop the query to be fed to database engine

This method allows the programmer to include the comments in the SQL statements

Query structure including comments as tokens

Class structure of the System

Thank you