This Slide contain information about the SQL injection.
Types of SQL injection and some case study about the SQL injection and some technique so we prevent our system
2. What is SQL injection?
SQL injection, also known as SQLI, is a common attack vector that
uses malicious SQL code for backend database manipulation to access
information that was not intended to be displayed. This information may
include any number of items, including sensitive company data, user lists or
private customer details.
A successful attack may result in the unauthorized viewing of user
lists, the deletion of entire tables and, in certain cases, the attacker gaining
administrative rights to a database, all of which are highly detrimental to a
business.
When calculating the potential cost of an SQLi, it’s important to
consider the loss of customer trust should personal information such as phone
numbers, addresses, and credit card details be stolen.
3. Types of SQL Injections:-
SQL injections typically fall under three categories: In-band SQLi
(Classic), Inferential SQLi (Blind) and Out-of-band SQLi. You can classify SQL
injections types based on the methods they use to access backend data and their
damage potential.
A. In-band SQLi:-
The attacker uses the same channel of communication to launch their
attacks and to gather their results. In-band SQLi’s simplicity and efficiency
make it one of the most common types of SQLi attack. There are two sub-
variations of this method:
1. Error-based SQLi—the attacker performs actions that cause the database to
produce error messages. The attacker can potentially use the data provided by
these error messages to gather information about the structure of the database.
2. Union-based SQLi—this technique takes advantage of the UNION SQL
operator, which fuses multiple select statements generated by the database to get
a single HTTP response. This response may contain data that can be leveraged
by the attacker.
4. Inferential (Blind) SQLi
The attacker sends data payloads to the server and observes the
response and behavior of the server to learn more about its structure. This
method is called blind SQLi because the data is not transferred from the
website database to the attacker, thus the attacker cannot see information about
the attack in-band.
Blind SQL injections rely on the response and behavioral patterns of
the server so they are typically slower to execute but may be just as harmful.
Blind SQL injections can be classified as follows:
Boolean—that attacker sends a SQL query to the database prompting the
application to return a result. The result will vary depending on whether the
query is true or false. Based on the result, the information within the HTTP
response will modify or stay unchanged. The attacker can then work out if the
message generated a true or false result.
5. 2. Time-based—attacker sends a SQL query to the database, which makes the
database wait (for a period in seconds) before it can react. The attacker can see
from the time the database takes to respond, whether a query is true or false.
Based on the result, an HTTP response will be generated instantly or after a
waiting period. The attacker can thus work out if the message they used returned
true or false, without relying on data from the database.
C. Out-of-band SQLi
The attacker can only carry out this form of attack when certain
features are enabled on the database server used by the web application. This
form of attack is primarily used as an alternative to the in-band and inferential
SQLi techniques.
Out-of-band SQLi is performed when the attacker can’t use the same
channel to launch the attack and gather information, or when a server is too slow
or unstable for these actions to be performed. These techniques count on the
capacity of the server to create DNS or HTTP requests to transfer data to an
attacker.
6. Some Attacks:-
Yahoo's 500-Million-Account Breach
E-mail giant Yahoo announced the compromise of 500 million user
accounts—which is being called the largest breach from a single site in history.
The breach compromised names, email addresses, telephone numbers, dates of
birth, passwords, and some encrypted or unencrypted security questions and
answers.
In 2012, Yahoo was breached via SQL injection attack, which
compromised about 450,000 usernames and passwords.
7. Hackers sentenced for SQL injections that cost
$300 million
What was then the sixth-largest payments processor in the US announced
back in 19/5/2009 that its processing systems had been breach the year before.
Within days, it had been classified as the biggest ever criminal breach of card
data. One estimate claimed 100 million cards and more than 650 financial services
companies were compromised, at a cost of hundreds of millions of dollars. Prosecutors
have said that three of the corporate victims reported $300m in losses.
In total, the hacking ring responsible for the Heartland attack compromised
160 million credit card numbers.
Russian national Vladimir Drinkman, 37, had previously pleaded guilty to one count of
conspiracy to commit unauthorized access of protected computers and one count of
conspiracy to commit wire fraud. He’s been sentenced to 12 years in prison. Dmitriy
Smilianets, 34, of Moscow, had previously pleaded guilty to conspiracy to commit wire
fraud against a financial institution and was sentenced to 51 months and 21 days in
prison: time served.
8. SQL Injection Attacks on the Rise, As Gaming
Industry Under Attack from Credential Stuffing
In its report Akamai noted that: “The growth of SQLi as an attack vector
over the last two years should concern website owners. In the first quarter of
2017, SQLi accounted for 44% of application layer attacks. This actually
represented a rather large drop from the previous baseline, which was historically
slightly over 50%.”
9. Other SQL Injection attack types:-
SQL Injections can do more harm than just by passing the login algorithms. Some
of the attacks include
Deleting data
Updating data
Inserting data
Executing commands on the server that can download and install malicious
programs such as Trojans
Exporting valuable data such as credit card details, email, and passwords to the
attacker’s remote server
Getting user login details etc
10. How to Prevent against SQL Injection Attacks:-
•An organization can adopt the following policy to protect itself against SQL
Injection attacks.
•User input should never be trusted - It must always be sanitized before it is
used in dynamic SQL statements.
•Stored procedures – these can encapsulate the SQL statements and treat all
input as parameters.
•Prepared statements –prepared statements to work by creating the SQL
statement first then treating all submitted user data as parameters. This has no
effect on the syntax of the SQL statement.
•Regular expressions –these can be used to detect potential harmful code and
remove it before executing the SQL statements.
•Database connection user access rights –only necessary access rights should
be given to accounts used to connect to the database. This can help reduce
what the SQL statements can perform on the server.
•Error messages –these should not reveal sensitive information and where
exactly an error occurred. Simple custom error messages such as “Sorry, we
are experiencing technical errors. The technical team has been contacted.
Please try again later” can be used instead of display the SQL statements that
caused the error.
11. Summary
1. SQL Injection is an attack type that exploits bad SQL statements
2. SQL injection can be used to bypass login algorithms, retrieve, insert, and update
and delete data.
3. SQL injection tools include SQLMap, SQLPing, and SQLSmack, etc.
4. A good security policy when writing SQL statement can help reduce SQL
injection attacks.