SQL Injection

SQL injection flaws are syntax errors, occurs when an attacker can send hostile data to an interpreter. This flaw allows attackers to rely on malicious scripts through an application to another system. This attack includes calls to the databases using scripts written in Perl, Python and other languages that can be an injection in a weak designed application and are executed.

SQL Injection is a critical form of injection as it can compromise the security, expose confidential information, destroy information and damage the reputation of an organization. That why it is still on the Top List of OWASP Top 10. According to the researcher’s most of the breaches worldwide are due to an SQL injection and still, most companies don’t have a complete solution for this.

To exploit the SQL injection flaw in the application, we must find the parameter in that web application passes through to a database. By carefully embedding malicious SQL commands into the content of the parameter, the attacker can trick the web application into forwarding a malicious query to the database. This attack is not difficult to exploit, many automated and scanning tools are available in the market to find and exploit these flaws.

TypesofSQLInjection

Types of SQL Injection:

Error-Based SQL Injection – Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site or logged to a file with restricted access instead.

Boolean-Based SQL Injection – Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.

Time-Based SQL Injection – Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

Depending on the result, an HTTP response will be returned with a delay or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.

Out-of-Band SQL Injection – Out-of-band SQL Injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL Injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Out-of-band techniques offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.

HowdoesSQLInjectionWorks

How SQL injection works

  1. Security Researcher/Hacker/Ethical Hacker use user input fields to injection scripts
  2. The web server executes the input received from the browser
  3. Web server ask the database to provide the requested data

This is how the gaining access to the website works

How to find if the application is vulnerable to SQL injection?

  • Using the automated mechanism to scan website looking for SQL injection and manually validating them
  • The application does not validate, filter or sanitize on user-supplied data
  • Without context-aware escaping dynamic queries or non-parameterized called is used in the interpreter
  • Object-relational mapping (ORM) search parameter uses hostile data to extract additional, sensitive records
  • Hostile data is directly used or concatenated, such that the SQL or command contains both structure and hostile data in dynamic queries, commands, or stored procedures.

Risk an SQL injection cause:

  • Data loss and corruption
  • Data could be stolen
  • Unauthorised access
  • Denial of access
  • Complete host system takeover

Preventing the SQL injection weakness:

  • Use a vetted Library or framework
  • Use an API which avoids the use of an interpreter (Parameterized)
  • Run the application with minimum privileges
  • Escape all special characters used by an interpreter
  • Input Validation/Sanitation, while list only allowed characters

 

SecuArk Vulnerability assessment and penetration testing team provide details guidance if your application vulnerable to SQL Injection attack and attempts to exploit the SQL Injection vulnerabilities to determine whether unauthorized access or damage or other malicious activity is possible. Our Penetration testing approach typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications and should occur from both outside the network trying to come in (external testing) and from inside the network.

We provide –

  • Targets different affordable and critical starting point on your journey to cyber protection
  • A risk-based approach –
  • Target technology like the host, network and application layer
  • Testing process to identify security vulnerabilities and assign severity levels
  • Involve automated and manual techniques with varying degrees of rigor and emphasis on comprehensive coverage

ApproachPT