SQL injection

SQL injection

An SQL injection, or SQLi attack, is a web-based intrusion attack that lets hackers use malicious code to bypass security mechanisms and gain access to SQL databases.

SQL (Structured query language) is is a domain-specific language used in programming and designed for managing data held in a relational database management system.

This kind of attacked results due to web developers' inattention and do not make aware of the input about this kind of vulnerabilities. One of the most important properties of the SQL injection attack is that it is easy to start and hard to avoid. These inappropriate programming practices allow attackers to trick the system by performing malicious SQL commands to exploit the database backend. Furthermore, the available scanning tools have limited features in shaping efficient attacking patterns which are required to detect hidden SQL injection vulnerability.SQL injection attacks allow attackers to spoof identities, exploit existing data, trigger repudiation problems such as voiding transactions or changing balances, allow full disclosure of all data on the network, kill or otherwise make it inaccessible, and become database server administrators.

SQL injection attacks, like much of computer technology, rarely stay constant. Halfond, Viegas, and Orso had identified seven forms of SQL injection attacks, differentiating between injection mechanisms and the attacker's purpose (Halfond, Viegas, & Orso, 2006, cited in Horner and Hyslip, 2017).

• The injection methods, while not targeting themselves, concentrated more on how the attacker could insert SQL commands; for example, an attacker could exploit user fields, cookies, server variables such as HTTP headers, or use second-order injection to deliver commands (Halfond, Viegas, & Orso, 2006, cited in Horner and Hyslip, 2017). 
• Tautology-based 
•  require the entry of code statements conditionally, such that conditional statements often return a true value.
• Piggybacking is the same attack discussed in Phrack magazine in 1998where SQL commands are placed in user input fields.
• A union-query attack can trigger a database to return an unintended table to an attacker with a command.
• Stored procedures, while being marketed as a conclusive defense against injection attacks, can become a tool for injection attacks if the stored procedures themselves involve vulnerabilities.
• Inference attack, inference assaults are identical to unauthorized or logically flawed requests in that the intruder does not explicitly access data except SQL databases. The inference is further divided into blind injection and timing attacks (Halfond, Viegas, & Orso, 2006, cited in  Horner and Hyslip, 2017  ).
• Lastly,  alternate encoding involves masking commands by using hexadecimal, ASCII, or Unicode encoding. By itself, this will not return valuable information, therefore, it is combined with other types of attacks to assist in avoiding detection (Halfond, Viegas, &Orso, 2006 cited in  Horner and Hyslip, 2017, )

How it work

There is an example of coding to launch an SQL attack (Konnyu, 2020).

"The code is simple. If there is a row in the users' table where the username and the password match, then the user will be logged in and the parameters come from the URL. But what will happen if I put this value for the password parameter: ' OR 1=1 –- ?" (Konnyu, 2020).

SQL reported attacks.

• In February 2002, Jeremiah Jacks discovered that Guess.com was vulnerable to an SQL injection attack, permitting anyone able to construct a properly-crafted URL to pull down 200,000+ names, credit card numbers and expiration dates in the site's customer database.
• On November 1, 2005, a teenaged hacker used SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customers' information.
• On January 13, 2006, Russian computer criminals broke into a Rhode Island government website and allegedly stole credit card data from individuals who have done business online with state agencies.
• On June 29, 2007, a computer criminal defaced the Microsoft UK website using SQL injection.

• In July 2008, Kaspersky's Malaysian site was hacked by the "m0sted" hacker group using SQL injection.
• On August 17, 2009, the United States Department of Justice charged an American citizen, Albert Gonzalez, and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. 
• In October 2015, an SQL injection attack was used to steal the personal details of 156,959 customers from British telecommunications company TalkTalk's servers, exploiting a vulnerability in a legacy web portal

Conclusion: SQL injection is one of the most common and effective forms of attack on the system. Controlling the malicious SQL code / script on the web application and maintaining final privacy is still a key challenge for the web developer.

Badshah Mat Ali, A., Yaseen Ibrahim Shakhatreh, A., Syazwan Abdullah, M. and Alostad, J. (2011). SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks. Procedia Computer Science, 3, pp.453-458.

Horner, M. and Hyslip, T (2017) SQL Injection: The Longest Running Sequel in Programming
History. Journal of Digital Forensics, Security and Law.Vol. 12,  No. 2, Article 10.

Konnyu, J. (2020). SQL injection. [online] Bitninja.io. Available at: https://bitninja.io/blog/2018/08/31/most-famous-vulnerabilities-sql-injection [Accessed 2 Feb. 2020].

 Konnyu, J. (2020). [image]