Downloaded 41 times
More Related Content
SQL injection
- 1.
- 2. What is SQLinjection? SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details. A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business. When calculating the potential cost of an SQLi, it’s important to consider the loss of customer trust should personal information such as phone numbers, addresses, and credit card details be stolen.
- 3. Types of SQLInjections:- SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data and their damage potential. A. In-band SQLi:- The attacker uses the same channel of communication to launch their attacks and to gather their results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. There are two sub- variations of this method: 1. Error-based SQLi—the attacker performs actions that cause the database to produce error messages. The attacker can potentially use the data provided by these error messages to gather information about the structure of the database. 2. Union-based SQLi—this technique takes advantage of the UNION SQL operator, which fuses multiple select statements generated by the database to get a single HTTP response. This response may contain data that can be leveraged by the attacker.
- 4. Inferential (Blind) SQLi Theattacker sends data payloads to the server and observes the response and behavior of the server to learn more about its structure. This method is called blind SQLi because the data is not transferred from the website database to the attacker, thus the attacker cannot see information about the attack in-band. Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to execute but may be just as harmful. Blind SQL injections can be classified as follows: Boolean—that attacker sends a SQL query to the database prompting the application to return a result. The result will vary depending on whether the query is true or false. Based on the result, the information within the HTTP response will modify or stay unchanged. The attacker can then work out if the message generated a true or false result.
- 5. 2. Time-based—attacker sendsa SQL query to the database, which makes the database wait (for a period in seconds) before it can react. The attacker can see from the time the database takes to respond, whether a query is true or false. Based on the result, an HTTP response will be generated instantly or after a waiting period. The attacker can thus work out if the message they used returned true or false, without relying on data from the database. C. Out-of-band SQLi The attacker can only carry out this form of attack when certain features are enabled on the database server used by the web application. This form of attack is primarily used as an alternative to the in-band and inferential SQLi techniques. Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and gather information, or when a server is too slow or unstable for these actions to be performed. These techniques count on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.
- 6. Some Attacks:- Yahoo's 500-Million-AccountBreach E-mail giant Yahoo announced the compromise of 500 million user accounts—which is being called the largest breach from a single site in history. The breach compromised names, email addresses, telephone numbers, dates of birth, passwords, and some encrypted or unencrypted security questions and answers. In 2012, Yahoo was breached via SQL injection attack, which compromised about 450,000 usernames and passwords.
- 7. Hackers sentenced forSQL injections that cost $300 million What was then the sixth-largest payments processor in the US announced back in 19/5/2009 that its processing systems had been breach the year before. Within days, it had been classified as the biggest ever criminal breach of card data. One estimate claimed 100 million cards and more than 650 financial services companies were compromised, at a cost of hundreds of millions of dollars. Prosecutors have said that three of the corporate victims reported $300m in losses. In total, the hacking ring responsible for the Heartland attack compromised 160 million credit card numbers. Russian national Vladimir Drinkman, 37, had previously pleaded guilty to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud. He’s been sentenced to 12 years in prison. Dmitriy Smilianets, 34, of Moscow, had previously pleaded guilty to conspiracy to commit wire fraud against a financial institution and was sentenced to 51 months and 21 days in prison: time served.
- 8. SQL Injection Attackson the Rise, As Gaming Industry Under Attack from Credential Stuffing In its report Akamai noted that: “The growth of SQLi as an attack vector over the last two years should concern website owners. In the first quarter of 2017, SQLi accounted for 44% of application layer attacks. This actually represented a rather large drop from the previous baseline, which was historically slightly over 50%.”
- 9. Other SQL Injectionattack types:- SQL Injections can do more harm than just by passing the login algorithms. Some of the attacks include Deleting data Updating data Inserting data Executing commands on the server that can download and install malicious programs such as Trojans Exporting valuable data such as credit card details, email, and passwords to the attacker’s remote server Getting user login details etc
- 10. How to Preventagainst SQL Injection Attacks:- •An organization can adopt the following policy to protect itself against SQL Injection attacks. •User input should never be trusted - It must always be sanitized before it is used in dynamic SQL statements. •Stored procedures – these can encapsulate the SQL statements and treat all input as parameters. •Prepared statements –prepared statements to work by creating the SQL statement first then treating all submitted user data as parameters. This has no effect on the syntax of the SQL statement. •Regular expressions –these can be used to detect potential harmful code and remove it before executing the SQL statements. •Database connection user access rights –only necessary access rights should be given to accounts used to connect to the database. This can help reduce what the SQL statements can perform on the server. •Error messages –these should not reveal sensitive information and where exactly an error occurred. Simple custom error messages such as “Sorry, we are experiencing technical errors. The technical team has been contacted. Please try again later” can be used instead of display the SQL statements that caused the error.
- 11. Summary 1. SQL Injectionis an attack type that exploits bad SQL statements 2. SQL injection can be used to bypass login algorithms, retrieve, insert, and update and delete data. 3. SQL injection tools include SQLMap, SQLPing, and SQLSmack, etc. 4. A good security policy when writing SQL statement can help reduce SQL injection attacks.