Tech-Fortune

TECH FORTUNE TECHNOLOGIES

INTERNSHIP ON CYBERSECURITY

A Project Report
on
SQL INJECTION using pseudocode executed on a web server

Submitted By:
MADHUSHREE M G
1EW21CS087
Dept. of CSE, EWIT

1
 Tech-Fortune

Abstract

Cyber security is the practice of defending computers, servers, mobile

devices, electronic systems, networks, and data from malicious attacks. It's also
known as information technology security or electronic information security.
The term applies in a variety of contexts, from business to mobile computing. In
Cyber Security SQL injection is one of the cyber-attack.

SQL injection attack is one of the most serious security vulnerabilities in

Web application system, most of these vulnerabilities are caused by lack of
input validation and SQL parameters use. Typical SQL injection attack and
prevention technologies are introduced in the paper. The detecting methods not
only validate user input, but also use type-safe SQL parameters. SQL injection
defense model is established according to the detection processes, which is
effective against SQL injection vulnerabilities.

2
 Tech-Fortune

Table of contents

[Link] [Link]

1. Cybersecurity. 4

1.1 Introduction 4

1.2 Types of Cyber Security 4

1.3 Cyber Security Goals 6

1.4 Types of Cyber Security Threats 7

2. SQL injection. 10

2.1 Types of SQL injection 11

2.2 How does SQL works on a website 12

2.3 Demo on SQL injection 13

2.4 Hacking Activity 17

2.5 How to prevent SQL injection 20

2.6 Conclusion 21

3
 Tech-Fortune

[Link] Security

1.1 Introduction

The technique of protecting internet-connected systems such as

computers, servers, mobile devices, electronic systems, networks, and data from
malicious attacks is known as cybersecurity. We can divide cybersecurity into
two parts one is cyber, and the other is security. Cyber refers to the technology
that includes systems, networks, programs, and data. And security is concerned
with the protection of systems, networks, applications, and information. In some
cases, it is also called electronic information security or information
technology security.

Some other definitions of cybersecurity are:

"Cyber Security is the body of technologies, processes, and practices

designed to protect networks, devices, programs, and data from attack, theft,
damage, modification or unauthorized access."

"Cyber Security is the set of principles and practices designed to protect

our computing resources and online information against threats."

1.2 Types of Cyber Security

Every organization's assets are the combinations of a variety of different

systems. These systems have a strong cybersecurity posture that requires
coordinated efforts across all of its systems. Therefore, we can categorize
cybersecurity in the following sub-domains:

o Network Security: It involves implementing the hardware and software

to secure a computer network from unauthorized access, intruders,

4
 Tech-Fortune

attacks, disruption, and misuse. This security helps an organization to

protect its assets against external and internal threats.

o Application Security: It involves protecting the software and devices

from unwanted threats. This protection can be done by constantly
updating the apps to ensure they are secure from attacks. Successful
security begins in the design stage, writing source code, validation, threat
modeling, etc., before a program or device is deployed.

o Information or Data Security: It involves implementing a strong data

storage mechanism to maintain the integrity and privacy of data, both in
storage and in transit.

o Identity management: It deals with the procedure for determining the

level of access that each individual has within an organization.

o Operational Security: It involves processing and making decisions on

handling and securing data assets.

o Mobile Security: It involves securing the organizational and personal

data stored on mobile devices such as cell phones, computers, tablets, and
other similar devices against various malicious threats. These threats are
unauthorized access, device loss or theft, malware, etc.

o Cloud Security: It involves in protecting the information stored in the

digital environment or cloud architectures for the organization. It uses
various cloud service providers such as AWS, Azure, Google, etc., to
ensure security against multiple threats.

o Disaster Recovery and Business Continuity Planning: It deals with the

processes, monitoring, alerts, and plans to how an organization responds
when any malicious activity is causing the loss of operations or data. Its

5
 Tech-Fortune

policies dictate resuming the lost operations after any disaster happens to
the same operating capacity as before the event.

o User Education: It deals with the processes, monitoring, alerts, and plans
to how an organization responds when any malicious activity is causing
the loss of operations or data. Its policies dictate resuming the lost
operations after any disaster happens to the same operating capacity as
before the event.

1.3 Cyber Security Goals

o Cyber Security's main objective is to ensure data protection. The

security community provides a triangle of three related principles to
protect the data from cyber-attacks. This principle is called the CIA
triad. The CIA model is designed to guide policies for an organization's
information security infrastructure. When any security breaches are
found, one or more of these principles has been violated.
o We can break the CIA model into three parts: Confidentiality, Integrity,
and Availability. It is actually a security model that helps people to think
about various parts of IT security.

6
 Tech-Fortune

1.4 Types of Cyber Security Threats

A threat in cybersecurity is a malicious activity by an individual or

organization to corrupt or steal data, gain access to a network, or disrupts digital
life in general. The cyber community defines the following threats available
today:

[Link]

Malware means malicious software, which is the most common cyber

attacking tool. It is used by the cybercriminal or hacker to disrupt or damage a
legitimate user's system. The following are the important types of malware
created by the hacker:

o Virus: It is a malicious piece of code that spreads from one device to

another. It can clean files and spreads throughout a computer system,
infecting files, stoles information, or damage device.

o Spyware: It is a software that secretly records information about user

activities on their system. For example, spyware could capture credit
7
 Tech-Fortune

card details that can be used by the cybercriminals for unauthorized

shopping, money withdrawing, etc.

o Trojans: It is a type of malware or code that appears as legitimate

software or file to fool us into downloading and running. Its primary
purpose is to corrupt or steal data from our device or do other harmful
activities on our network.

o Ransomware: It's a piece of software that encrypts a user's files and data
on a device, rendering them unusable or erasing. Then, a monetary
ransom is demanded by malicious actors for decryption.

o Worms: It is a piece of software that spreads copies of itself from device

to device without human interaction. It does not require them to attach
themselves to any program to steal or damage the data.

o Adware: It is an advertising software used to spread malware and

displays advertisements on our device. It is an unwanted program that is
installed without the user's permission. The main objective of this
program is to generate revenue for its developer by showing the ads on
their browser.

o Botnets: It is a collection of internet-connected malware-infected devices

that allow cybercriminals to control them. It enables cybercriminals to get
credentials leaks, unauthorized access, and data theft without the user's
permission.

2. Phishing

Phishing is a type of cybercrime in which a sender seems to come from

a genuine organization like PayPal, eBay, financial institutions, or friends and
co-workers. They contact a target or targets via email, phone, or text message
with a link to persuade them to click on that links. This link will redirect them to

8
 Tech-Fortune

fraudulent websites to provide sensitive data such as personal information,

banking and credit card information, social security numbers, usernames, and
passwords. Clicking on the link will also install malware on the target devices
that allow hackers to control devices remotely.

3. Man-in-the-middle (MITM) attack

A man-in-the-middle attack is a type of cyber threat (a form of

eavesdropping attack) in which a cybercriminal intercepts a conversation or
data transfer between two individuals. Once the cybercriminal places
themselves in the middle of a two-party communication, they seem like genuine
participants and can get sensitive information and return different responses.
The main objective of this type of attack is to gain access to our business or
customer data. For example, a cybercriminal could intercept data passing
between the target device and the network on an unprotected Wi-Fi network.

4. Distributed denial of service (DDoS)

It is a type of cyber threat or malicious attempt where cybercriminals

disrupt targeted servers, services, or network's regular traffic by fulfilling
legitimate requests to the target or its surrounding infrastructure with Internet
traffic. Here the requests come from several IP addresses that can make the
system unusable, overload their servers, slowing down significantly or
temporarily taking them offline, or preventing an organization from carrying out
its vital functions.

5. Brute Force

A brute force attack is a cryptographic hack that uses a trial-and-error

method to guess all possible combinations until the correct information is
discovered. Cybercriminals usually use this attack to obtain personal
information about targeted passwords, login info, encryption keys, and Personal
Identification Numbers (PINS).

9
 Tech-Fortune

6. SQL Injection (SQLI)

SQL injection is a common attack that occurs when cybercriminals use

malicious SQL scripts for backend database manipulation to access sensitive
information. Once the attack is successful, the malicious actor can view, change,
or delete sensitive company data, user lists, or private customer details stored in
the SQL database.

7. Domain Name System (DNS) attack

A DNS attack is a type of cyberattack in which cyber criminals take

advantage of flaws in the Domain Name System to redirect site users to
malicious websites (DNS hijacking) and steal data from affected computers. It
is a severe cybersecurity risk because the DNS system is an essential element of
the internet infrastructure.

Here ,let us know the SQL injection practically

Here, I take SQL injection attack and explain in detail

2. SQL injection

What Is SQL Injection?

SQL Injection is a code-based vulnerability that allows an attacker to read and

access sensitive data from the database. Attackers can bypass security measures
of applications and use SQL queries to modify, add, update, or delete records in
a database. A successful SQL injection attack can badly affect websites or web
applications using relational databases such as MySQL, Oracle, or SQL Server.
In recent years, there have been many security breaches that resulted from SQL
injection attacks.

10
 Tech-Fortune

Fig. SQL injection

2.1 Types of SQL Injection

In-band SQLi - The attackers use the same communication channel to launch
their attacks and collect results.

The two common types of in-band SQL injections are Error-based SQL
injection and Union-based SQL injection.

1. Error-based SQL injection - Here, the attacker performs certain actions

that cause the database to generate error messages. Using the error
message, you can identify what database it utilizes, the version of the server
where the handlers are located, etc.

11
 Tech-Fortune

2. Union-based SQL injection - Here, the UNION SQL operator is used in

combining the results of two or more select statements generated by the
database, to get a single HTTP response. You can craft your queries within
the URL or combine multiple statements within the input fields and try to
generate a response.

Blind SQLi - Here, it does not transfer the data via the web application. The
attacker cannot see the result of an attack in-band.

1. Boolean-based SQL Injection - Here, the attacker will send an SQL query
to the database asking the application to return a different result depending
on whether the query returns True or False.

2. Time-based SQL Injection - In this attack, the attacker sends an SQL

query to the database, which makes the database wait for a particular
amount of time before sharing the result. The response time helps the
attacker to decide whether a query is True or False.

Out-of-bound SQL Injection - Out-of-bound is not so popular, as it depends

on the features that are enabled on the database server being used by the web
applications. It can be like a misconfiguration error by the database
administrator.

2.2 How Does SQL Work on a Website?

A website has three major components - Frontend, Backend, and

Database.

At the frontend, a website is designed using HTML, CSS, and JavaScript. At the
backend, you have scripting languages such as Python, PHP, Perl, etc. The
server side has databases such as MySQL, Oracle, and MS SQL Server, to
execute the queries.

12
 Tech-Fortune

When you write a query, you generally send a get request to the website. Then,
you receive a response from the website with HTML code.

Using the Postman API tool, you can test the responses that you get from
various websites.

2.3 Demo on SQL Injection

SQL injection attack using sqlfiddle. Open the URL [Link] in

your web browser. You will get the following window.

Note: you will have to write the SQL statements

13
 Tech-Fortune

Step 1) Enter this code in left pane

CREATE TABLE `users` (
`id` INT NOT NULL AUTO_INCREMENT,
`email` VARCHAR (45) NULL,
`password` VARCHAR (45) NULL,
PRIMARY KEY (`id`));

insert into users (email, password) values ('m@[Link]’, md5('abc'));

Step 2) Click Build Schema

then it shows Schema ready.

Step 3) Enter this code in right pane

select * from users;

Step 4) Click Run SQL. You will see the following result

14
 Tech-Fortune

Suppose user supplies admin@[Link] and 1234 as the password. The

statement to be executed against the database would be

SELECT * FROM users WHERE email = ‘admin@[Link]’ AND password

= md5(‘1234’);

The above code can be exploited by commenting out the password part and
appending a condition that will always be true. Let’s suppose an attacker
provides the following input in the email address field.

xxx@[Link]’ OR 1 = 1 LIMIT 1 — ‘ ]

xxx for the password.

The generated dynamic statement will be as follows.

15
 Tech-Fortune

SELECT * FROM users WHERE email = ‘xxx@[Link]’ OR 1 = 1 LIMIT 1

— ‘ ] AND password = md5(‘1234’);

HERE,

 xxx@[Link] ends with a single quote which completes the string quote
 OR 1 = 1 LIMIT 1 is a condition that will always be true and limits the
returned results to only one record.
 — ‘ AND … is a SQL comment that eliminates the password part.

Copy the above SQL statement and paste it in SQL Fiddle Run SQL Text box as
shown below

16
 Tech-Fortune

2.4 Hacking Activity: SQL Inject a Web Application

We have a simple web application at [Link] that is
vulnerable to SQL Injection attacks for demonstration purposes only. The
HTML form code above is taken from the login page. The application provides
basic security such as sanitizing the email field. This means our above code
cannot be used to bypass the login.

To get round that, we can instead exploit the password field. The diagram below
shows the steps that you must follow

Let’s suppose an attacker provides the following input

 Step 1: Enter xxx@[Link] as the email address

 Step 2: Enter xxx’) OR 1 = 1 — ]

17
 Tech-Fortune

 Click on Submit button

 You will be directed to the dashboard

 Here we can able to add to new contact

18
 Tech-Fortune

 After adding the new contact ,it is updated in the dashboard

19
 Tech-Fortune

The generated SQL statement will be as follows

SELECT * FROM users WHERE email = ‘xxx@[Link]’ AND password =

md5(‘xxx’) OR 1 = 1 — ]’);

The diagram below illustrates the statement has been generated.

HERE,

 The statement intelligently assumes md5 encryption is used

 Completes the single quote and closing bracket
 Appends a condition to the statement that will always be true

In general, a successful SQL Injection attack attempts a number of different

techniques such as the ones demonstrated above to carry out a successful attack .

2.5 How to Prevent SQL injection?

20
 Tech-Fortune

1. Use prepared statements and parameterized queries - Parameterized

statements ensure that the parameters passed into the SQL statements
are treated safely.

2. Object-relational mapping - Most development teams prefer to use

Object Relational Mapping frameworks to translate SQL result sets
into code objects more seamlessly.

3. Escaping inputs - It is a simple way to protect against most SQL

injection attacks. Many languages have standard functions to achieve
this. You need to be aware while using escape characters in your code
base where an SQL statement is constructed.

Some of the other methods used to prevent SQL Injection are:

 Password hashing

 Third-party authentication

 Web application firewall

 Purchase better software

21
 Tech-Fortune

 Always update and use patches

 Continuously monitor SQL statements and database

2.6 Conclusion

SQL Injection attacks can exploit an organization’s database and control a

database server behind a web application. At the end of this we will come to
know what is cyber security and its types, goals , types of cyber threats, SQL
injection and its types ,how to do SQL injection with the demo model, we
looked at a demonstration using the SQLfiddle and techpanda application and
learned how to prevent SQL injection.

22
Tech-Fortune

23