Structured Query Language Injection is one of the vulnerabilities in OSWAP Top 10 list for web-based application exploitation. In this study, we will be demonstrating the different methods of SQL injection attacks and prevention techniques will be illustrated.
Web application are widespread as they have become the necessity for the everyday life. Most web-based applications communicate with a database using a machine-understandable language called Structured Query Language (SQL).
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted from the client of the application.
Table of contents
INTRODUCTION
PROBLEM STATEMENT
SIGNIFICANCE
RESOURCES
SUMMARY: WEB SEARCH AND LITERATURE
METHODOLOGY
RESULTS AND DISCUSSION
CONCLUSION AND RECOMMENDATIONS
SUMMARY
REFERENCES
INTRODUCTION
Structured Query Language Injection is one of the vulnerabilities in OSWAP Top 10 list for web-based application exploitation. In this study, we will be demonstrating the different methods of SQL injection attacks and prevention techniques will be illustrated.
Web application are widespread as they have become the necessity for the everyday life. Most web-based applications communicate with a database using a machine-understandable language called Structured Query Language (SQL).
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted from the client of the application.
PROBLEM STATEMENT
The goal of this study is to spread awareness to public out there using internet that what does SQL injection mean, how the websites and web applications can be attacked using SQL injection, why it is one of the greatest security issue in today’s world and also how the developers should lower the risk of SQL injection Attack when developing the Web Applications.
The main purpose of SQL injection attack is to comprise the database, which is an organized collection of data and supporting data structures. The data can include sensitive information like username, passwords, encryptions keys and many organization related information. The main consequences of SQL injection attack are Confidentiality: databases have private information which can be a major problem if lost; Authentication: using bad SQL commands into application can lead to theft of username and password; Authorization: private information like authorization information stored in database; Integrity: Altering of information in database [1].
SIGNIFICANCE
SQL injection Attack befalls when an attacker causes the web application to produce SQL queries that are functionally diverse from what user interface programmer intended. The platform affected can be any web application which interacts with a SQL database. Inadequate input validation, improper programming of SQL statements, laziness while programming applications can expose the web applications to SQL injection vulnerability. Likelihood of exploit is very high. SQL injection is number one threat to web application listed by OWASP (Open Web Application Security Project) and it is a rampant and hypothetically damaging attack [1].
SQL injection is not a new issue. The date of its discovery is ambiguous. However, in last few years. SQL injection Attack have been escalating very fast.
Going 5 years back in 2012, a representative of Barclaycard claimed that 97% of data breaches are a result of SQL injection. The online article states that “In late 2011 through early 2012 i.e. only one month, over one million web pages were affected by the Lilupophilupop SQL injection attack”. In 2010, united nations official website was a victim of SQL injection. One can now imagine the greatness of problem of SQL injection.
“The breach of a web server that housed payment card data for a New York tourism company’s website highlights security gaps in cardholder data protection”. 110,000 credit card information were stolen by hacker using SQL injection in December 2010.
Link: http://www.bankinfosecurity.com/sql-injection-blamed-for-new-breach-a-3195
“The hacktivist group says it obtained the records via SQL injection at government sites”. This was reported in 2012 December. 1.6 million accounts at FBI and NASA were exposed.
Link: https://www.cnet.com/news/ghostshell-claims-breach-of-1-6m-accounts-at-fbi-nasa-and-more/
“Hacker group claims to have looted $100k via SQL injection attack”. This incident was reported in October 2013.
Link: https://www.scmagazine.com/hacker-group-claims-to-have-looted-100k-via-sql-injection-attack/article/542609/
One of the biggest SQL injection attack, a group of Russian hackers stole more than one billion passwords from sites both big and small. The group used number of internet-connected devices know as botnet to steal the passwords from an estimated 400,000 sites. This was reported in 2014.
Link: https://www.business2community.com/tech-gadgets/russian-hackers-means-website-0979723#!bLWV8O
The year of 2016 faced many SQL injection attacks. In 2016 April, Qatar national bank’s database was hacked using SQL injection. It was reported that 1.4GB of data was compromised which had customer information and credit card information.
Link: http://www.ibtimes.co.uk/qatar-national-bank-leak-security-experts-hint-sql-injection-used-database-hack-1557069
In may 2016, hacker used SQL injection to get inside the Drupal sites and installed fake ransomware.
Abbildung in dieser Leseprobe nicht enthalten
Link: http://news.softpedia.com/news/crooks-used-sql-injections-to-hack-drupal-sites-and-install-web-ransomware-504300.shtml
The DotA 2 forum was hacked in July 2016 and user’s personal information were leaked such as ip addresses, passwords. The gaming forum was hacked and 1,972,972 records were exposed.
Link: https://www.digitaltrends.com/computing/dota2-forum-hacked-two-mollion-sql-injection/
“Attackers used a flaw in the internet forum software vBulletin to breach 11 websites, exposing 27 Million accounts”. It is a huge number and was hacked using SQL injection in August 2016.
Link: https://www.scmagazine.com/hackers-exploit-vbulletin-flaw-to-access-27m-accounts-on-11-websites/article/530194/
As of February 2017, the hacker named Rasputin breaches over 60 Universities and government agencies. The online article states that hacker developed his own SQL injection scanner and used it to find weak points and take over vulnerable targets. The hacker then sold leaked information to criminal underground.
Link: https://www.bleepingcomputer.com/news/security/hacker-rasputin-breaches-over-60-universities-and-government-agencies/
In October 2017, few months back 130k accounts were affected at Arden Hills-based catholic financial service provider. The forensic investigation determined that the company’s web server had been attacked via SQL injection.
Link: https://www.twincities.com/2017/10/16/catholic-united-financial-data-breach-may-have-affected-nearly-130k-accounts/
The online article posted online in August 2017 says that SQL injection is still a leading method of CYBER ATTACK.
Link: https://www.alertlogic.com/blog/tried-and-true-sql-injection-still-a-leading-method-of-cyber-attack/
RESOURCES
We will be using C# ASP.NET technology along with MS SQL Server database to demonstrate the SQL Injection Attacks and Countermeasures.
We have opted for the above technology because most of the organizations use those technology and Microsoft SQL Database is used widely around in world by most of the organizations and developers. MSSQL has many features that most of the organizations requires for developing Web Applications according to user standards.
SUMMARY: WEB SEARCH AND LITERATURE
This section is focused on summarizing the above web search, few literatures and recent rending reports on SQL injection. The above web articles on SQL injection attacks i.e. from December 2010 to August 2017 conclude that concern for SQL injection evolved year by year. The above articles suggest, most of the organizations suffered biggest loss of financial information. Popular government agencies FBI and NASA were the victim of SQL injection attack, were 1.6 million accounts were compromised. The group called hacktivist said it stole records using SQL injection at government sites and posted the records online. Hackers use different [7] attack patterns to get inside the databases of web application. Patterns can include using combinations of various attacks, using variety of tools for SQL injection such as SQL map and different approaches using SQL injection queries. The article from May 2016 states that hacker used SQL injection attack to get inside and then installed ransomware malware to encrypt the information.
The literatures state, the major impacts of SQL injection are data leak or loss, authentication bypass, denial of access, destruction of database or information. These major impacts were faced by most of the companies which were hacked via SQL injection. Article from October 2017 states financial company’s web server was hacked using SQL injection were 130k members accounts got compromised. Further, the financial company removed all potential access to personally identifiable records on their server and secured the web server from any possible further attack. This was the recent incident which occurred last year i.e. 2017 on 6th September.
Online article dated 30th June 2017 says that WordPress plugin which is used by 300,00+ websites is vulnerable to SQL injection attack [8]. “WordPress plugin WP statistics is vulnerable to SQL injection flaw that allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website’s database and possibly gain unauthorized access to websites”. From the statement we can conclude that SQL injection is evolving very fast. Another article from May 2017 states that UK based Information Commissioner’s Office fined Euro 55,000 to an e-commerce firm as their website was vulnerable to SQL injection [9]. Information Security firms are straightway penalizing organizations because of not securing their websites. One can now imagine how the huge the concern of SQL injection is. Finally, an article dated 7th November 2016 says that researchers found SQL injection vulnerability in IOT device, in which an attacker can inject malicious SQL code into paired IOT device’s mobile application and take root control of IOT device [10].
METHODOLOGY
Most of the web search in significance section shows that web applications were attacked by performing SQL injection from their login panel or a panel which has to do with user input. The organization who were the victim of SQL injection suffered huge amount of data breach and some organizations data were dumped and some companies suffered huge financial loss. We are doing research on this topic to spread awareness among web developers and people with less knowledge of SQL injection. So, that web application with databases which contains confidential data can be prevented in coming future. As, data is the most crucial asset to protect.
Databases are the main target for hackers because database contains sensitive information. Therefore, databases are often targeted for acquiring sensitive information by performing SQL injection attack which is listed number one in OWASP top ten list of web application security risk. This section is focused upon which methods we will use to demonstrate SQL injection attack and different approaches for mitigating SQL injection vulnerability.
We will be developing one simple website which will has username and password as textbox, one login button and sign up button. When user logs in to website using credentials he/she will be redirected to welcome page with some user details. When a new user wants to sign up he/she will sign up and information of that user will be stored in database. This website will be vulnerable to SQL injection attack and we will show how this web-site can be attacked using SQL injection to gain access to any user’s account, deleting tables in database, inserting records, showing application errors from which information about database can be obtained. Then, we will develop three web-sites which has same design as described above but each web-site will have different approach to mitigate SQL injection vulnerability.
For mitigating SQL injection vulnerability three different methods will be demonstrated. First method will be using parameterized query also known as prepared statements. Parameterized query is the first approach developers should be taught when writing database queries. Moreover, parameterized queries force developers to first define all SQL code, then pass in each parameter to query later. This coding style allows database to distinguish between code and data, regardless of what user input is supplied [11]. Another approach we will be using is stored procedures. Stored procedures will be created in database, which will perform the query and query will be parameterized query. So, it will be the combination of stored procedure and parameterized query. As stored procedures are defined in database itself it will be then called from an application rather than something that user is allowed to enter. Last approach will be demonstrating is input validation. Input validation is used to detect unauthorized input before it is processed by an application which results in preventing SQL injection attack. We will be validating user input by checking its type, length, format and range. Additionally, we will be showing custom error pages instead of showing database error information to user. Custom error pages will have some limited error detail to client screen. So, the client has less information which he/she cannot use to obtained database information, thereby preventing SQL injection attack.
[...]