Understanding and Preventing SQL Injection Attacks
The input, processing, storage and retrieval of data are the most fundamental sequences of processes that an application with both front-end and back-end executes. Application developers put in place security measures to leverage authorization and authentication to protect undesired and unauthorized interaction with data stored in the database. Nevertheless, the database remains the primary target of most attackers. Some of the most common attacks induced on databases include SQL injections. SQL injection can be understood as an attack technique that takes advantage of security vulnerability present in the database layer of a target application. SQL injection is used by hackers to gain unauthorized access to underlying structure, data and Database Management systems. SQL injection has become one of the most exploited web applications vulnerability [1]. This essay will explore available literature that delves deeper into how SQL injection occurs, types of SQL injection strategies and attacks, testing and detection of SQL injection. Finally, the essay will discuss prevention of SQL injections.
An SQL injection attack is said to have occurred when a hacker succeeds in changing the intended effect of an SQL query through inserting his/her SQL operators and keywords into the database [2]. This infers that an SQL injection is a vulnerability in an application through which an attacker arbitrarily infuses pieces of malicious data into input fields of an application, which when operated by the application, executes the input data as a piece of code at the back end server. Consequently, it results to undesired outcomes which application developers do not anticipate [2, 3]. SQL injection has a characteristic known as injection attack mechanism [2] which identifies how SQL injection occurs. Injection mechanism entails the input mechanisms that attackers use to break into the database back end. Some of the common input mechanisms include injection via user input. Normally, SQL injection attacks targeting web applications will target the input form submissions through the HTTP POST or GET requests [3]. Prevention of SQL Injections Essay.
Besides web submissions, the attackers could as well induce SQL injection through cookies. Cookies are special files responsible for maintaining application-generated information which is stored on client machines [3]. It gives the client control over this information and an attacker can perform malicious processes or activities on contents of the cookies. Incase the cookie contents are used in building SQL queries, it gives the attacker a window of submitting an attack embedded in the cookie [4]. Likewise also, the attacker can exploit server variables. Server variables include network headers, environmental variables and HTTP. These variables are used in identifying logging usage statistics besides browsing trends. Because of their sensitivity, if they are used to log into the database without sanitization, they are likely to create SQL injection vulnerability [5].
There are different SQL injection attacks and strategies. Normally, they are not executed in isolation but instead, most of them are used serially according to the intent of the attacker [2]. Moreover, there exist multiple variations of every attack variation. Some of these SQL injection attacks include; tautologies. These attacks are induced with the intention of undermining authentication in order to discover parameters to be injected, offering leeway for extracting data [7]. A tautology based attack works through injecting conditional statement so that their evaluation outcome is ever true. The consequences associated with this attack depend on the use of the outcome from queries within a target application. In most cases, tautology attacks are used to bypass authentication and extraction of data [2]. For instance, an attacker can exploit an injectable “WHERE” conditional query statement. Turning the “WHERE” conditional query into a tautology, results to returning all the table rows targeted by the tautology conditional. Prevention of SQL Injections Essay. The tautology based attacker takes the vulnerable parameters and the code constructs so that the returned results can be of benefit to gaining access into the database [7].
On the other hand, the logically/illegal incorrect queries SQL injection is induced to discover injectable/vulnerable parameters, perform database finger-printing and extract data. This attack grants the attacker a leeway of gathering crucial information about the structure and type of backend database used by web application [2]. This attack is considered a forerunner for major attacks by exploiting on the vulnerability leveraged even from a default error. This is possible because the extra error information generated by the error page, to aid developers debug/correct the errors, gives attackers information concerning the back-end database schema [2]. The attacker injects lines of codes that influence or cause type conversion, logical error or syntax error into the database. Syntax errors identify vulnerable parameters while type errors deduce the data types of target columns or it can extract data as well. Logical errors are used to reveal table names and specific columns responsible for the error [6].
In order to help developers deal with injectable loop-holes, research has found out some testing and detection methods to be used during the development phase of an application. One of the commonly used testing techniques is the Black Box Testing [2]. According to Haung and friends [8] a black box technique known as WAVES is used in testing developed web applications for SQL injection vulnerabilities. This technique leverages a Web crawler as a means of identifying all potential points in a web application which are likely to be exploited to inject SQL injection attacks. The technique then creates attacks targeting such points based on a particular list of attack techniques and patterns. Besides this, WAVES is designed to monitor the response of an application to attacks and improves its attack methodology by machine learning techniques. In spite of its machine learning approach in testing injectable points, it can not guarantee completeness [2]. Prevention of SQL Injections Essay.
CANDID is a very reliable SQL injection tool that modifies Java written web applications using a program transformation. It works through mining the programmer’s intended input query structure and detects SQL injection attacks through comparison with the structure of the actual issued query [9]. It is a natural and simple approach towards detection of SQL injection attacks. Similarly, AMNESIA is another tool used in detection of SQL injection attacks and it works by combining runtime monitoring and static analysis [10]. It begins with the static phase where the tool develops models of various kinds of queries which the target application can generate at any time whenever the database is accessed. In order to counter any sabotage to queries, queries go through early interception (checked against statically built models) in the dynamic phase before being sent to the database. At this point, all queries suspected to violate query structures are prevented from accessing the database. Although it is a good tool, it is not reliable because it depends on the accuracy of static analysis to be able to build effective query models.
Another detection and prevention mechanism is the SQLPrevent which comprises an HTTP request interceptor. After SQLPrevent is executed into a web server, original data flow is altered. The current-local thread saves all the HTTP request and SQL interceptor stops the SQL statements made by web applications to pass them …