SQL injection (SQLi) is a type of cyberattack against web applications that use SQL databases such as IBM Db2, Oracle, MySQL, and MariaDB. As the name suggests, the attack involves the injection of malicious SQL statements to interfere with the queries sent by a web application to its database. Here we will see the approaches to detect and prevent SQL injection in web applications.
5. ➢ Tautology
Example –
Select * from <tablename>
where userId = <id> and password = <wrongPassword> or 1=1;
➢ Logically incorrect queries
Example –
Select * from <tablename>
where userId = ‘xyz”” and password = <wrongPassword> or 1=1;
3
Dept. of CSE, RNSIT 2012
7. ➢ Stored Procedures
Example –
Select * from <tablename>
where userId = <id> and password = <Password> or 1=1; SHUTDOWN;
➢ Blind Injection
Example-
SELECT name FROM <tablename> WHERE id=<username> and 1 =0 -- AND pass =
SELECT name FROM <tablename> WHERE id=<username> and 1 = 1 -- AND pass =
5
Dept. of CSE, RNSIT 2012
8. ➢ Timing Attacks
Example-
Declare @s varchar(500)
select @s = db_nameO
if (ascii(substring(@s, I, I)) & ( power(3, 0))) > O waitfor delay '0:0:10‘
➢ Alternate Encoding
Example-
SELECT name FROM <tablename> WHERE id=’’and
password=O;exec(char(O x73687574646j776e))
6
Dept. of CSE, RNSIT 2012
9. Mechanism to detect SQL injection attacks.
Knowledge of SQL injection vulnerabilities in web
applications.
IDS Approach
◦ Generic Signature
◦ Accurate & Taint Propagation
◦ Syntax-aware evaluation
◦ Minimal Deployment Requirements
7
Dept. of CSE, RNSIT 2012
10. Dept. of CSE, RNSIT 2012 8
Fig-1: Identification of trusted and untrusted data
11. Dept. of CSE, RNSIT 2012 9
Fig-2 shows the SQL Injection Detection Process
12. For Database Administration
1. Install the database on a different machine than the Web server or
application server.
2. Disable all the default accounts and passwords disabled, including the
super-user account
3. Create user account that has the minimum privileges necessary for that
application to access the data.
4. Identify the list of SQL statements that will be used by the application
and only allow such SQL statements, e.g. Select, Insert, Update, etc.
5. Use read-only views for SQL statements that do not require any inserts
or updates, e.g. Search functionality or Login functionality
10
Dept. of CSE, RNSIT 2012
13. For Developer
1. Sanitize the input by validating it in your code
2. Use parameterized queries instead of dynamic queries.
For example: in Java, use Prepared Statement instead of Statement Object
3.Employ proper error handling and logging within the application so that a
database error or any other type of technical information is not revealed to
the user
4. Choose names for tables and fields that are not easy to guess
5. Use stored procedures instead of raw SQL wherever possible
11
Dept. of CSE, RNSIT 2012
14. Security is still one of the major issues all across the globe.
It is not difficult to prevent SQL injection attacks.
Developer training has been very helpful in increasing their
understanding of website vulnerabilities and the extent of
damage they can do.
Dept. of CSE, RNSIT 2012 12
16. [1] A. Baranwal Approaches To Detect SQLinjection and XSS in Web Application
EECE 571B, Term Survey Paper, April 2012
[2] Protect your Websites from SQL Injection Attacks February 2010 Anurag Agarwal
Director of Education Services, WhiteHat Security www.whitehatsec.com
[3] A. SRAVANTHI* et al. ISSN: 2250–3676 [IJESAT] International Journal Of
Engineering Science & Advanced Technology Volume-2, Issue-3, 664 – 671
[4] http://www.owasp.org/index.php/Top_10_2010-A1-Injection, retrieved on
13/01/2010
14
Dept. of CSE, RNSIT 2012