This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The most important features of today's cyber world revolve around web applications and databases. They play a major role in today's commercial world. People use different websites to submit and retrieve data from the databases. The web application being used by the user has an open access to the database. The language used to store, retrieve and manipulate data's in database is called the Structured Query Language (SQL) and it helps the users and the web application to interact with the database. Languages such as MYSQL and MSSQL functions with the help of SQL. SQL has different commands like Delete, Insert, and Select etc.., Hackers use SQL INJECTION mechanism to hack details from the databases and they may even delete those important details.
The technologies those are prone to this attack are the Dynamic script languages including JSP, PHP, ASP, ASP.NET AND CGI. The simplicity of SQL injection has proved it worth, where the hackers use some creative guess work along with the knowledge of SQL queries and databases to hack the details.
The hackers can gain access to the data's with the help of SQL injection technique and manipulate the existing queries, sub-selects and Union arbitrary data. They can execute crust commands and they may even write out or read in to the files. The advantage with the SQL injection technique is its impact can't be discovered until the theft is revealed. Patching up of servers, databases, operating systems and programming languages is important but it is not an optimal way to prevent the SQL injection attack.
The hackers gain an upper hand due to several factors, they are
Lack of awareness about security threats.
Public availability of the data's.
Proliferation of the custom made web applications.
TYPES OF WEB PROTOCOLS:
World Wide Web (www) is supported by, http- hyper text transfer protocol which is used to transfer information between the server and protocol, url- uniform resource locator which is used to identify any available document in the database and html- hyper text markup language which is used to hypertext documents.
It is used to exchange documents and acts like a file transfer protocol. It plays a role in formatting the messages and sending it between the server and the client and in defining the responses that has to be given based on the commands received. Being a stateless protocol the http receives requests which are independent and they do not have any order or relationship. Whereas the applications that generate dynamic contents may face some problems but they can rectified by the cookies mechanism which are in the http headers protocol. These cookies help to store the information in the user's computer which can be retrieved for later use.
It has strings which plays a role in specifying the ways to access the resources from the network. The database may have information such as audios, videos and html files which are identified by its url. It helps in the development of the interlinked documents and it helps to address the files accurately.
A typical url looks like,
<scheme> is the protocol which is sued to access resource.
<user> and <password> are used to verify authentication.
<host> as the name suggests is the name of the server that hosts the resource.
<port> is port on which the server is listening on and
(url-path> is specific to the scheme. A url-path can be a complete path or filename to a file.
It is an easy to learn and use language and it is an application of the SGML. In earlier days it wasn't a preferred one due to its simplicity and it made the job easy for the hackers. In 1994 World Wide Web Consortium (W3C) was formed to build awareness about web technologies. HTML 4.0 was released in 1997 which put an end to hacking, but it wasn't a permanent solution for hacking. HTML 4.0 includes Cascading Style Sheets (CSS) and definition of the Document Object Model (DOM). It also had features which helped the users with disabilities to access the contents.
It is more secured than http and it has a padlock icon which indicates that the website is secured. It is used in online banking services. It allows the users to make sure that they are connected to the secured website. If the url has https, it shows that the user is connected to the secured website.
INVESTIGATING THE WEB THREADS:
The hackers easily gain access to the web servers, as they have open connections for the internet. The reasons for the vulnerability of the server are due to buffer overflow, mis-configuration and security policies.
It happens when more data's are stored in a buffer than its actual capacity and those extra data's overflow to the neighbouring buffers. This results in the over writing of the data's in that buffer. The extra data's have codes for specific action and it will send the information to the computer that has been hacked and to the user's computer putting it at risk. Buffer overflow is due to the programming error.
A few organizations set their configuration as default like the username and password which are set as default, default sharing and default file location which are related to security. Most of the servers are based on the operating system. The web server's security will be at risk if the operating system is weak hence the operating systems patches should be kept updated. Configurations with necessary services and ports should be used for security reasons.
SQL Injection Technique:
This is the technique which is used to exploit the web applications and the client supplied data's in it without stripping the harmful characters. There are number of web applications which are prone to this type of attack inspite of the protection. The aim of this project is,
To highlight the techniques those are used to take an advantage of the various web applications which are vulnerable to SQL injection.
To discuss about the mechanisms that can be used to protect the web applications from SQL injection technique.
To discuss about the Input validation problems.
Encoding of the Characters:
The punctuation marks and symbols should be encoded by the url before using in a request in order to interpret it correctly. The regular ASCCII character have been used as examples and in screenshots like, %25 is used for Percent sign and %2B for the plus sign in the http request statement.
Vulnerability Testing Procedure:
The web applications should be thoroughly checked for the vulnerability of the SQL injection. When the server receives a script which has a single quote as first argument, it shows a white blank screen with OBDC error. A vulnerable script is easy to overlook if details are not given proper attention. The parameters in the script should be checked properly.
A programmer who creates the script A will not have anything to do with the development of script B and the programmer who created the function A in script A will not have anything to do with function B in script A, so one of the parameter in the script A may be prone to the SQL injection attack and the other parameter may not be. Hence a rigorous checking is necessary for the scripts.
Procedure for Testing:
Each and every parameter should be checked and tested individually. While testing a single parameter, the other parameters should not change from their order and should remain with a valid data. The data's which are not working in order can be deleted because the parameters with an incorrect argument can spoil the purpose of the whole procedure.
Contact Name= steve%20Johnson&company Name=Johnson%20Jhonson , is a valid parameter line.
Contact Name= steve%20Johnson&company Name='%20 OR, this parameter will show an OBDC error.
CompanyName= ', will show an error indicating that contact name value should be stipulated.
ContactName=BadcontactName&companyName= , this will show the same page similar to the request which did not stipulate the contact name and it can give the sites home page. When it could not locate the specified data, it may not send the argument of the parameter as an SQL statement and can give something different. So the full parameter line should be used while testing for SQL injection. The argument which is being tested for a legitimate value need not be given.
Evaluation of the Results:
An error message from the database server shows that SQL injection has been done. The database error messages do not appear in all the cases hence all the possible locations should be investigated. The returned page of the source should be investigated for phrases like "OBDC", "SYNTAX" and "SQL SERVER". The hidden commands and the input may have more details about the error. The headers of the web applications should be checked which gave the error message without any information in its body of the http response may have the error message in its header. A few web applications have such kind of features which are built into them for 'debugging' and 'question and answer' purposes. These features are not disabled at the time of release by mistake or may be due to lack of proper checking.
It is important to check the returned page and also the linked pages. In a recent study the web application showed a generic error message when attacked by SQL injection. By clicking the stop sign which was next to error, a new page showing the full SQL server error message popped up, as the sign was linked to it.
There are possibilities for a 302 page redirect and it should be watched carefully as it disappears
from the server page that shows the error message. It disappears before realizing that it has occurred.
SQL injection technique can be successful even when the returned page has an OBDC error message. Mostly properly formatted generic error messages are returned stating "problem processing the request" or "internal server error". A few web applications can survive with any type of error if they are returned to sites main page. Returning of the 500 error page shows that SQL injection is happening. A few sites have 500 internal server error pages as default setting. The error page of the site requests the user to send a mail to its technical support staff or says that server is down for maintenance. Using the stored procedure techniques it is possible to take advantage of a website.
TYPES OF SQL INJECTION ATTACK:
BY-PASSING THE AUTHORISATION:
This is one of the simplest techniques and is done by bypassing form based logins. For example
SQLQUERY = "SELECT Username FROM Users WHERE Username = ' " &
StrUsername & " 'AND password = ' " & strPassword & " ' "
StrAuthcheck = GetqueryResult (SQLQuery)
If strAuthcheck = " "Then
BoolAuthenticated = False
BoolAuthenticated = True
When the username and password is submitted by the user, the query goes through user's table in order to check for a row which has the username and password that matches to the one given by the user. When such a row is found the username gets stored into the strAuthcheck variable, which shows that the user has to be authenticated. When there are no matches the strAuthcheck variable will remain empty and the user is not authenticated.
It is possible to modify the actual SQL query structure if the strUsername and strPassword has any characters. The query returns a valid name even when the valid username and password are not known. As an example, when the login form is filled by the user,
Login: 'OR "= '
Password: 'OR "='
This gives the following SQLQuery
SELECT Username FROM Users WHERE Username= ' ' OR ' '= ' ' AND
Password= ' '= ' '
Here it will not compare the data supplied by the user with the one in the user table rather it compares ' ' (nothing) to ' ' (nothing), which will give a blank page.
As all the conditions of the WHERE clause are satisfied the username that is on the first row will be searched and selected. Then it will be sent to the strAuthcheck, which confirms the validation. Using the single result cycling technique it is possible to use another data.
In a few other cases the SQL Query of the web application which has reverse-engineering multiple parts are needed. To do this the error message has to be identified and the injection string should be modified so the attack is defeated.
QUOTE VERSUS DIRECT INJECTION:
The first error message encountered is the syntax error message. It indicates that given query does not satisfy the proper structure of the SQL Query. So it is important to check for the possibility of SQL injection without the quotation.
The argument submitted by the user is used in direct injection. This is used in the SQL Query without any alterations. Direct injection is possible if a error generates on taking genuine value of the parameter and adding a space and word " OR. In WHERE statements direct values can be numeric.
SQLString = "SELECT FIRSTName, LastName, Title FROM E employees WHERE Employee = " & intEmployeeID
The argument of an SQL keyword, such as table name or column:
SQLString = " SELECT FirstName , LastName, Title FROM E employees ODER BY " & StrColumn
And the rest are injection vulnerabilities due to quotes. In quoted injection vulnerability a quotation mark is present before and after the argument.
SQLString = "SELECT FirstName, LastName, Title FROM E employees WHWRE EmployeeID = '"& strCity & "'"
When maintaining a valid syntax without quotation marks the injection string must have a isngle quote before an SQL keyword and should end with a WHERE statement which needs a quote at its end.
The SQL server will not consider anything after a " ; - ", as they are rejected by the server. This is an essential technique that should be known while running oracle, MYSQL, DB/2 and for other databases too.
In order to retrieve information from the database SELECT queries should be used. The web applications that use dynamic content builds pages form the information those are returned from SELECT queries. A part of the query that is in the WHERE clause can be manipulated at times in order to return other records and not the intended one. It can be done using UNION SELECT. With the help of UNION SELECT multiple select queries can be specified in a single statement.
SELECT companyName FROM Shippers where 1 = 1 UNION ALL SELECT companyName from customers WHERE 1 = 1
In this both the records, from the first and second query will be returned together. It escapes a certain SELECT DISTINCT statements and will not interfere so it can be used always. It is important to make sure that the first query which the developer intends to use first should not return any record. As an example,
SQLString = "SELECT firstName, LastName, Title FROM Employees WHERE CITY = '" & " ' "
When using the following injection string,
'UNION ALL SELECT OTHERFIELD FROM Other Table WHERE ''= '
And this will send the following query to the database,
SELECT FirstName , Last name , Title from Employees WHERE City = ' ' UNION ALL SELECT OtherField FROM OtherTable WHERE ' ' = ' '
Here the search engines goes through the Employees table and searches for a row where City has a value nothing. As there are no rows where city is set nothing, it will not return any record but returns records from the injected query. In a few cases using the value nothing is not fruitful, because the table may have a few entries which use nothing. If nothing is specified while looking at the legitimate values, the application looks something different. It is better to use zero and negative numbers when numbers are expected. A text argument can use "No Such Record" or "sjdhalksja" as strings. It will not be a problem as long as they don't return any records.
Simple quereies as mentioned above are not used always. It depends on the function why the query is made and on the developer so, breaking a syntax error can be difficult.
ENUMERATION OF THE QUERIES WITH SYNTAX ERRORS:
The syntax error in the query is returned in the error message by a few databases. The syntax errors are created purposefully in order to " bully" the SQL query fragments. Based on the design of the query a few strings may return some useful information and others may not.
A few attack strings are,
' OR '
' OR '
9 , 9 , 9
Out of these strings only a few returns the information and a few does not returns any information. In few cases one of the strings will give useful information and others will not. So it is better to try all of the strings.
If the cited string in the syntax error has parenthesis or if a message is received saying that the parentheses are missing, a paranthesis can be added in the injection string. It should be added to the bad value part and to the WHERE clause. In a few cases two or more parentheses are required.
MYSQL = "SELECT LastName, FirstName, Title, Notes, Extension FROM Employees where (CITY = '"& StrCity & "') ''
When injecting the value " ' (UNION SELECT OtherField FROM Other Table WHERE ( ' ' = ' '' ,
The server receives the following query,
SELECT LastName , FirstName, Title , Notes, Extension FROM Employees where (CITY = '') UNION SELECT OtherField from otherTable WHERE (' ' = ' ')
LIKE clause is kind of a trap. When the error message shows percentage signs or LIKE keyword, it is an indication. LIKE clauses are used in most of the SQL queries with search function.
SQLString = "SELECT FirstName , LastName , Title FROM Employees WHERE LastName LIKE ' % " & strLastNameSearch & " % ' "
The percentage sign distracts and confuses. Here if the strLastNameSearch is seen anywhere in the LastName the WHERE clause will become true. So the intended query should be stopped from returning the records. In order to do this the bad value should be unique to any of the values in the LastName. The string which the web application adds to the end of the input should be replicated in the injection strings WHERE clause. Mostly it will be a parenthesis and at times a single quote and percentage sign is also used. If nothing is used as the bad value the like argument will be made " % %", which will return all the records. Figure 3 below explains the working injection query of the above mentioned code.
A few situations can be very difficult and enormous amount of effort has to be put to solve it. A few queries are unbreakable and they get errors often as they are trapped. A function which is inside a WHERE clause has the sub select. Sub select is an argument of some other function whose output has a string that is being manipulated and being used in LIKE clause which is in a sub select. Even the SQL server " ; - - " cannot help in such situations.
MISMATCHING OF THE COLUMN NUMBER:
If it is in the syntax error then it will not create many problems. The next error message indicates about the bad table name. To rectify this valid system table from the appendix can be chosen. The table name chosen should correspond to the database server which is being used.
Then a error message appears which indicates that the SELECT and UNION SELECT queries have a difference in the number of fields. It should find out the number of columns which are being requested in the legitimate query. If that is the code being attacked then, the injected UNION SELECT and the legitimate SELECT should have equal number of columns in the WHERE clause. Here both need three columns. The type of the column should also match with each other. If the first name is a string, then in the injection string the corresponding field should also be a string. A few servers like oracle are very stringent about this. Other servers are lenient and allow using any type of data which can convert into the correct type of data. As an example in an SQL server using numeric data in varchar's place will not create an issue because the numbers which are used can be converted into strings.
Using a text in the small column can be an issue as the text cannot be converted in to a number. Numbers can easily convert into a string and the values should be used default. In order to find out the number of columns that has to be matched, values are kept added to the UNION SELECT clause until the column number mismatch disappears. If the error mentions about the mismatch in the data type, the data entered in the column should be changed from numeric to text. If an incorrect data is submitted conversion errors could be seen. In a few instances we have to find out the columns that create an error as the conversion message appears when it matches the correct number of columns. If the error is due to the text, then it will be a hectic process to match the value types. The number of possible options gets more with the number of columns present in the query. If everything is normal a page with the same format and structure will appear. If dynamic contents are used there will be injection query.
The problems can be additional if the WHERE conditions are added to the query after the injection string. The problem which injects the query will not have table in the FROM clause with 'Country' as the column name. This problem can be solved in two ways. One is by using ";--" terminator if SQL is the server being used. The other way is to make a wild guess about the name of the table where the offending column is present and its FROM. A few attack queries can be used.
When the injection technique works, it should decide the fields and tables from which the information has to be retrieved. With oracle and SQL as the server, it will be possible to get all the names from the column and table. Based on the account's privilege which the web application uses access may or may not be possible. The crucial thing is to get access to the system tables that have the column and table names. They are called as 'sy in SQL server.
A survey by privacy clearing house shows how many numbers of records were stolen from the databases during the year 2005 and 2006.
101,070,850 records were stolen during the period of Feb 2005 to Feb 2006.
88,931,692 records were stolen during the period of Feb 2006 to July 2007.
An increase of 13% in 7 months.
Monthly record of 4.2 million records being stolen.
82 million (approx) records are stolen by hacking.
A few international organizations which are being hacked are,
CHOICE POINT INC
UNIVERISTY OF SOUTHERN CALIFORNIA
Step 1: Analysing the infrastructure of the server.
Step 2: Website survey.
Step 3: Checking for errors due to Input Validation.
Step 4: Mounting the Attack
RESULTS OF TESTING IN MODEL SITE:
Considering the professional reason the tests cannot be done on the live web servers instead they were tested in the websites which are designed for testing. It simulates a live online book store.
Scenario 1 book store:
This uses MYSQL and PHP database:
Snapshot of the screen from the model site
The user have to login for ordering books.
Their credit card details will be saved in the database.
Their username and email address are the same.
It is easy to get the email address and telephone number of the customer.
Snapshot of the screen from the model site:
It shows the username being used.
Scenario 2: Use of logic in SQL statements:
Using logic to validate login,
Select * from login where username 'johnson' and password 'steve'
The above statement returns a true value and allows login,
We inject Select * from login where 'jothy' Or 1=1'-- â€¦â€¦â€¦â€¦â€¦..
In this case 1=1 always true so login is permitted .
Scenario 3: Progress report :
The aim of the project is to provide a solution for the web vulnerability to the SQL injection technique.