Scribd
Upload
48 views20 pages

Understanding SQL Injection Vulnerabilities

This document discusses SQL injection vulnerabilities. It begins by defining SQL injection as exploiting a pre-existing application's capability to send SQL commands to a database. It notes that over 60% of websites tested have SQL injection vulnerabilities. These vulnerabilities allow attackers to access databases in read/write/admin modes depending on the database management system vulnerability. The document provides an example of how SQL injection works by altering a login query, and discusses consequences like unauthorized access or modifying database tables. It concludes by recommending ways to prevent SQL injection like input validation, parameterized queries, and using stored procedures.

Uploaded by

asdfer fersda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views20 pages

Understanding SQL Injection Vulnerabilities

This document discusses SQL injection vulnerabilities. It begins by defining SQL injection as exploiting a pre-existing application's capability to send SQL commands to a database. It notes that over 60% of websites tested have SQL injection vulnerabilities. These vulnerabilities allow attackers to access databases in read/write/admin modes depending on the database management system vulnerability. The document provides an example of how SQL injection works by altering a login query, and discusses consequences like unauthorized access or modifying database tables. It concludes by recommending ways to prevent SQL injection like input validation, parameterized queries, and using stored procedures.

Uploaded by

asdfer fersda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

SQL INJECTION

by Fabrizio d’Amore
faculty of Ingegneria dell’Informazione
Università di Roma “La Sapienza”
WHAT IT IS, WHAT IT IS NOT

December 2009
¢ capability of giving SQL commands to a database
engine exploiting a pre-existing application
not exclusive to Web applications, but widespread

SQL Injection, by F. d'Amore


¢
vulnerability in Web sites
— vulnerabilities exist in 60% of Web sites they have tested
(from: OWASP, Open Web Application Security Project)
¢ not due to inadequate development of Web
applications, nor a fault of the Web / RDBMS server
— developers not yet sufficiently aware
— low-quality info in the Web on how to prevent the problem
— detailed info in the Web on how to exploit vulnerabilities

2
WHAT APPLICATIONS ARE VULNERABLE?

December 2009
¢ in practice, all databases based on SQL
— MS SQL Server, Oracle, MySQL, Postgres, DB 2,
Informix etc.

SQL Injection, by F. d'Amore


¢ databases accessed thru applications based on
most of modern (and non-modern) technologies
— Perl, CGI, ASP, PHP, XML, Javascript, VB, C, Java,
Cobol etc.

3
HOW IT WORKS

December 2009
¢ client injects SQL code into the input data of an
application

SQL Injection, by F. d'Amore


— typical scenario: application dynamically creates SQL
query using altered data (obtained from outside),
without good validation of such data
¢ target of the attack: server of an application
¢ goal: allow the client to access the database used
by the attacked server

4
EXAMPLE

December 2009
¢ if the following query returns data...
SELECT * FROM users

SQL Injection, by F. d'Amore


WHERE login = 'damore'
AND password = 'qwerty'
¢ example of login syntax ASP/MS SQL Server
var sql = "SELECT * FROM users WHERE login = '" +
formusr + "' AND password = '" + formpwd + "'";
¢ if
— formusr = ' or 1=1 --
— formpwd arbitrary
¢ query becomes into SELECT * FROM users
WHERE login = '' or 1=1 5
-- AND password = ...
SQL INJECTION ATTACK

December 2009
¢ attacker can access database in read/write/admin
— depends on the vulnerability of the specific DBMS

SQL Injection, by F. d'Amore


¢ impact of the attack is potentially HIGH

6
POSSIBLE HTML FORM

December 2009
¢ from Wikipedia
(http://it.wikipedia.org/wiki/SQL_injection)

SQL Injection, by F. d'Amore


<form action='login.php' method='post'>
Username: <input type='text' name='user' />
Password: <input type='password' name='pwd' />
<input type='submit' value='Login' />
</form>

7
POSSIBLE LOGIN.PHP FILE

December 2009
<?php
//Prepares query, in a variable
$query = "SELECT * FROM users WHERE

SQL Injection, by F. d'Amore


user='".$_POST['user']."' AND
pwd='".$_POST['pwd']."'";
//Execute query (suppose a valid connection to
database is already open and its state is stored
in $db)
$sql = mysql_query($query,$db);
//Count number of lines that have been found
if(mysql_affected_rows($sql)>0) {
//authenticated!
}
8
?>
CONSEQUENCES

December 2009
¢ if script does not make input analysis and
validation, user can send

SQL Injection, by F. d'Amore


user = blah
pwd = ' OR user=‘blah'
¢ we get the query
SELECT * FROM users
WHERE user=‘blah' AND pwd='' OR user=‘blah'

¢ if at least one tuple does exist, attacker obtains


authenticated access

9
OTHER (WORSE) CONSEQUENCES

December 2009
¢ symbol ';' is exploited, it allows to concatenate
commands

SQL Injection, by F. d'Amore


pwd = ' OR user=‘blah'; DROP TABLE users;

¢ or

pwd = ' OR user=‘blash'; INSERT INTO


users (...) VALUES (...);

10
LINKS

December 2009
¢ examples
— http://www.owasp.org/index.php/SQL_Injection
— http://www.unixwiz.net/techtips/sql-injection.html

SQL Injection, by F. d'Amore


¢ Sqlninja: example of tool for supporting attacks
http://sqlninja.sourceforge.net/
— it tries to use SQL injection on applications based on
MS SQL Server
— its goal is to obtain an interactive shell on the remote
DB server
¢ WebScarab: example of tool for prevention
http://www.owasp.org/index.php/Category:OWAS
P_WebScarab_Project
11
— powerful, good prevention, even against other types of
attack
PREVENTING SQL INJECTION

December 2009
¢ input validation
— client side

SQL Injection, by F. d'Amore


— to be considered within the wider subject of software
correctness and robustness

¢ parameterized queries
— based on predefined query strings

¢ use of stored procedures


— subroutines that are defined at server side, available
to applications accessing the RDBMS
12
— can validate input at server side
INPUT VALIDATION AT CLIENT SIDE

December 2009
¢ use scripts, e.g., Javascript

SQL Injection, by F. d'Amore


¢ can be made weaker by the security settings of the
browser

¢ in some cases, can be bypassed thru suitable


change of the HTML source code

13
PARAMETERIZED QUERIES

December 2009
¢ avoid the traditional dynamic query string, where
pre-defined substrings have to be replaced by user
defined text

SQL Injection, by F. d'Amore


¢ based on pre-defined query strings, where suitable
parameters have to be inserted

¢ example: Java Prepared Statement

14
JAVA PREPARED STATEMENTS

December 2009
¢ see Sun tutorial on JDBC
(http://java.sun.com/docs/books/tutorial/jdbc/basics
/index.html)

SQL Injection, by F. d'Amore


¢ technique based on Java class PreparedStatement
— initially proposed for improving the speed of
frequently executed queries
¢ when PreparedStatement is instantiated, an SQL
query is built (and compiled): it may contain the
symbol '?' to denote possible parameters necessary
to query
¢ query structure is fixed
15
PRACTIC EXAMPLE

December 2009
// define query schema
String selectStatement = "SELECT * FROM User WHERE
userId = ? ";

SQL Injection, by F. d'Amore


// instantiate PreparedStatement object by means of
purposed method of db connector (class Connection)
PreparedStatement prepStmt =
con.prepareStatement(selectStatement);

// provide parameter thru setXXX


prepStmt.setString(1, userId); // 1 -> first
parameter

// execute query
ResultSet rs = prepStmt.executeQuery(); 16
VULNERABILITIES IN PREPARED STATEMENTS

December 2009
¢ Java prepared statements, if not carefully packed,
may be vulnerable to SQL injection

SQL Injection, by F. d'Amore


¢ example
String strUserName =
request.getParameter("Txt_UserName");
PreparedStatement prepStmt =
con.prepareStatement("SELECT * FROM user
WHERE userId = '+strUserName+'");
¢ a prepared statement is built, using a non-
validated input parameter!

17
STORED PROCEDURES: WHAT AND WHY

December 2009
¢ compiled procedures (subroutines) made available
at server side to build/support batches operating
on DB

SQL Injection, by F. d'Amore


¢ code is optimized, but DB server incurs higher
processing costs
— also improve code readability

¢ they help to limit SQL injection attacks


— but they are not exempt from vulnerabilities

18
USE OF STORED PROCEDURES

December 2009
¢ also known as proc, sproc, StoPro or SP, belong to
data dictionary

SQL Injection, by F. d'Amore


¢ typical uses
— data validation
— access control mechanisms
— centralization of logic that was initially contained
inside the applications
¢ similar to the user-defined functions, but with
different syntax
— functions can appear everywhere in SQL strings, this
is not true for stored procedure calls
19
DATA VALIDATION THRU SP

December 2009
A few controls (partial list)
¢ format (e.g., digits or dates)
¢ types (e.g., if text has been inserted when digits are

SQL Injection, by F. d'Amore


expected)
¢ range (check data that should belong to an admissible
interval)
¢ mandatory data
¢ parity control
¢ orthography and grammar
¢ consistence M/F, S/P
¢ cross-system consistence (data on several systems;
e.g., name + surname vs. surname + name)
20
¢ existence of referred files

You might also like