This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
"SQL injection attack was possible on RockYou because all of the user passwords were stored in plain text rather than using a non reversible hashing system. This site has been hacked and around 32.6m passwords were known to the attackers."- Using this specific case of SQL injection I would like to discuss how attackers exploit the vulnerabilities in the code written by programmers who focus more on implementing desired functionalities and less on security aspects, how these attacks can be avoided by using some countermeasures, though a comprehensive solution is still far into the future. If an effective solution ever exists it must unify technology, people, processes and policies while acknowledging the challenges and problems faced by the organizations.
A software bug is the common term used to describe an error, flaw, mistake or fault in a computer system that produces an incorrect or unexpected result, or causes it to behave in unintended ways (Software Bug - Wikipedia). The exploitation of these bugs in computer systems has lead to security threats in information systems. Data is considered as an organization's most valuable asset and attacks on it could threaten the organization's Confidentiality, Integrity and Availability. Despite the fact that organizations may have committed many resources into securing data and software systems, attempts to fool the system to execute some carefully crafted attack code have been commonplace in the recent years.
SQL injection is an attack on data and is an exploitation of the bugs in computer software. Through the knowledge of databases and how to query them, it has become possible for hackers to browse and touch the backend of e-commerce infrastructures.
DATABASES AND SQL (Kauffman)
Most popular databases are Oracle, Microsoft SQL Server, IBM's DB2 and MySQL. All these databases allow commands to be passed onto them via SQL.
SQL (Structured Query Language) is a programming language used for inserting, updating and querying the database. More often it will be a front - end application which communicates with the database via SQL. SQL can perform either or all of the functions listed below:
Modify a structure (tables, views â€¦).
Insert, update or delete a record or data.
Read, analyze and report data.
Return specified data back to the requester.
Each database has its own way of receiving SQL commands and processing them. Database Management System (DBMS) is responsible for processing these instructions.
A typical example involving Databases and SQL would be an e-commerce application where the underlying databases store the data regarding all the products in the store and a front end application written in Visual Basic or C# issuing SQL commands to retrieve all the products in the database to be shown to an e-shopper.
UNDERSTANDING SQL INJECTION
SQL injection - What is it? - SQL injection is an emerging technique which specifically targets the underlying relational database management system of an e-business platform via its frontend which typically is a webpage. Mainly, it targets applications that construct SQL statements from user-supplied input and queries the underlying database. Most web applications on the internet or within enterprise systems work this way and therefore could be vulnerable to these attacks.
Applications often take input from the users like in the case of a user registration form. The underlying software constructs SQL statements from these inputs and the hackers exploit the inability of the programmer to construct well structured SQL statements and execute unplanned and hostile commands. This capability allows the hackers to gain uncontrolled access to a web application including its underlying databases. Because these databases often contain sensitive information the resulting security violations can lead to identity theft, loss of confidential information, loss of privacy and fraud. In extreme cases, attackers can even gain control and corrupt the system that hosts the web application. Web applications are very vulnerable to these attacks and a study by Gartner Group on over 300 Internet Web sites has shown that most of them could be vulnerable to SQL Injection attacks. In fact, high-profile websites such as Travelocity, FTD.com, and Guess Inc, RockYou are been successfully targeted.
The basic steps which occur during any injection process are:
First, the attacker provides malicious input into an application. The attacker provides the data in such a way that the front end application screens and accepts this data/request as legitimate. Then, this data is incorporated into a SQL query and passed on to the underlying database. Finally the database executes the query with the malicious input and results in database corruption or data deletion or operating system compromise.
SQL injection Example - The following is a most common example explaining SQL injection:
Scenario: Let us suppose a user want to check his recent orders associated with his name in an e-commerce application.
Proper user input: John Smith
Translates to SQL query: Select * from orders where username = "John Smith"
Malicious user input: John Smith"; DROP table orders; #
Translates to SQL query: Select * from orders where username = "John Smith"; DROP table orders;
The trailing '#' in the input is the comment operator in MySQL. It tells the database to ignore everything that follows the operator. If the program making this malformed query has sufficient privileges on the database, it leads to deletion of the entire orders table. This attack could lead to the modification or complete destruction of the database.
SQL INJECTION - HISTORY
SQL injection as an attack was first publicized as a Microsoft web services article. This article titled "NT Web Technology Vulnerabilities" it first appeared in the fifty- fourth article of Phrack, a digital periodical that covers hacking topics.
This was written by rainforestpuppy of the WireTrip security group, and discusses Microsoft SQL and ASP injection exploits (Rainforestpuppy). Microsoft argued that the issues identified by rainforestpuppy were not vulnerabilities at all. This response provoked him to research more SQL injection techniques.
The next publication by rainforestpuppy proved Microsoft to be untrue. "How I hacked PacketStorm - a look at hacking www threads via SQL" by him was the first to introduce a successful attack using SQL injection and thus proved how easy it was to circumvent implied security features. The structure of the database was guessed by giving random input and by doing a close analysis of the SQL error reports being generated by inserting random data into the database. Through the analysis of the database and the SQL syntax formulation, he was able to inject his own commands into the database.
This incident paved the way for SQL injection attacks and from there on, these attacks became a commonplace in the world of IT security.
SQL INJECTION AS AN ATTACK METHODOLOGY
Since SQL is highly standardized and is an open standard, it is well documented and attackers have detailed understanding of the language and its use. The abundantly available information about databases and SQL also allows attackers to understand how SQL queries are formulated, and how they may be manipulated to gain access to a database thereby facilitating the attacker's ability to manipulate data and responses more effectively.
SQL is used to query a database by front - end applications. SQL injection problem typically arises with web based applications where the users should be given privileges to enter, update and delete their information from the database and normally, a user accessing an application on a website is given an authentication token and high privileges on the database with or without a need. The only security employed these applications is programmers coding to verify the user input, and since secure code review is relatively a new practice, many applications lack necessary input checking to prevent SQL injection attacks.
Moreover, the complexity of the programming languages and focus on user functionality and data manipulation also increased opportunities for attacks. The increasing integration of applications into web space and majority of the applications being data driven, developers need more functionality on the DBMS products. As database vendors strive to survive in the ever demanding world, they include more powerful control features which if exploited in attacks add more significance to the impact. Moreover, developers need to understand that security of the applications is being comprised when they reach out for advanced DBMS features. If the developers do not understand the security impact, then the chances for the flaws being incorporated into the software that allow SQL injection attacks to occur are greatly increased.
SQL INJECTION MECHANSIMS
Malicious SQL statements can be incorporated into an application in many ways. The most common ways are described below
SQL Injection through user input - In this case, attackers inject malicious SQL statements through suitably crafted code. A web application can read user input in several ways based on the environment in which the application is deployed. But generally, in applications targeted by Injection attacks, user input is taken through form submissions via HTTP GET or POST. These applications take the input submitted by the attackers, form SQL commands and process these commands on the underlying database. This is the most usual form of SQL injection attack.
SQL Injection through cookies - AÂ cookie is aÂ text fileÂ stored asÂ plain textÂ on aÂ user'sÂ computer by aÂ web browser. A cookie consists of one or moreÂ name-value pairsÂ containing bits of information, which may beÂ encryptedÂ forÂ information privacyÂ andÂ data securityÂ purposes (HTTP Cookie - Wikipedia). Cookies generally contain information generated by web applications. When a user returns to the application, cookies can be read to restore the user's state information. Since these files are stored on the user's computer, a user has total control over these files and a malicious user can tamper with the cookie's contents. If a web application reads this cookie's contents and build SQL queries, an attacker can easily submit an attack by embedding it in a cookie.
SQL Injection through server variables - Server variables are a collection of variables that contain HTTP, network headers and other environment variables. Web applications make use of these variables in several ways such as usage statistics and a user's browsing trends. Attackers can forge the values that are placed in HTTP and network headers and if these variables are inserted into a database without validating them, it could lead to SQL injection.
Second-order injection - In this case, attackers incorporate malicious inputs into a database or an application to indirectly trigger an injection attack when that input is used at a later point of time. The objective of this attack differs from the above mentioned ones because these injections are not aimed to cause an attack when the malicious input reaches the database. Instead, attackers rely on knowledge of where the input will be subsequently used and craft their attack in such a way that it occurs during that usage.
For example, a user registers using another name such as "admin'--" on a website. Now, at this point this user tries to modify his or her password and the application requires the user to know his username, old password and new password.
Let us try building the SQL query for this operation where username = "admin'--", old password = "123" and new password = "1234".
So the query becomes: UPDATE users set password = "1234" where username = "admin'--" and password = "123";
Since "--" is a comment operator in SQL, everything after that is ignored and the result of the query is that the database changes the password of the administrator (admin) of the application to the user's choice.
Second-order injections are not easy to detect and deal with as the point of injection is different from the point of attack. Even though the developers may try to sanitize and validate the input before being inserted into database, later on when the sanitized input is used to build queries it may lead to SQL injection.
WHO ARE THE ATTACKERS?
It is not possible to list the attackers' name, just as we cannot list all the criminals who will commit a murder in the city, country or in the world. Even if we know who they are, can we stop them from committing these attacks? To have some idea of who the attackers might be let us examine in detail the main component of the three components of attack: method, opportunity and motive.
When an attacker utilizes a crafted malicious SQL code to launch an attack, attack intention is the goal that the attacker will try to reach if the attack is successful.
Extract database data - Database data of an application is highly sensitive and highly desirable by several people for various reasons. It could be for money, fraud, espionage or just for the sheer challenge. SQL injection attacks with the intention of extracting data are the most common type of injection attacks.
Modify database data- Modifying database data provides for a variety of gains for an attacker. For example, an attacker may try to modify the price of an expensive item which he bought online by getting into the database. The threads in a discussion forum may be modified too to launch cross site scripting attacks.
Download files from the server- Downloading files from attacked database enables an attacker to view file content stored on the server. Sensitive data such as configuration information and source code could be compromised too.
Upload files to the server- Uploading files to a database enables an attacker to store any malicious code which may contain a Trojan or a worm to launch further attacks again.
Execute remote commands- Remote commands are executable code which resides on the database server. Remote command execution allows attackers to run arbitrary commands on the server and such type of attacks could lead to entire internal networks being compromised.
Having examined all the details of the SQL injection attack, one real world example of this attack would be described in the following sections:
SQL INJECTION ATTACK ON ROCKYOU
Type of SQL injection attack- SQL Injection through user input
Intent of the attack- Extracting database data
How did it happen? - RockYou! (Originally known as RockMySpace), based in Redwood City, California is a publisher and developer of applications and other social network services. As of December, 2007 it is the most successful widget maker for the Facebook platform in terms of total installations. (RockYou! - Wikipedia)
RockYou was compromised by a SQL injection attack which exposed emails and passwords for more than 32 million user accounts. Perhaps, what increased the impact of the attack significantly is the fact that all the passwords were stored in plain text and by default all the usernames were the users' web mail accounts (Hotmail, Yahoo or Gmail).Once an attacker has all this information in his hands, he can do any of the following
Log in to the mail accounts and extract private information from the inbox such as their banking information, credit card numbers, business information, other passwords and other sensitive information which the user might not want to make it public.
Use the passwords obtained from his email and cause the victim money, fame, privacy loss etc.
The attacker can send emails to the victim's entire contact list and make it look legitimate asking for some information or passing on some derogatory information to them. This would be a typical Identity theft case.
The victims contact list would make for an excellent spam list and the attacker can spam all the accounts.
This means that users of this site are particularly vulnerable if they use same usernames and passwords for all the sites they visit which would be a major security lapse. This was possible on RockYou because all of the user passwords were stored in plain text rather than using a non reversible hashing system. Moreover, RockYou took time to admit that their site in fact was breached and by the time it did that it was too late. One hacker even claimed to have gotten access to the accounts and posted some of the data in some online forum. (RockYou Hacked 32.6 million user accounts compromised)
RockYou users, tech forums, Data security centers vented out that -
"RockYou failed to encrypt - use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security." (Facebook app maker hit with Data breach)
This attack again proved that simple passwords still remain popular in spite of the risk of attack. Never before the analysts have seen such a huge volume of data. RockYou attack has given them more than 32 million passwords to analyze. The analysis shows that "123456" is the most popular password followed by "12345", "abc123","qwerty" and "password". More disturbing was the fact that 20% of people on RockYou picked from the same, relatively small pool of 5,000 passwords. That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute. (Imperva Releases detailed analysis of 32.6 m passwords)
HOW IT COULD HAVE BEEN AVOIDED
The first and foremost thing which strikes out from this attack is "Why were the passwords stored in plain text". It made the attackers' job easier by giving them what they were looking for in just one shot. This could have been avoided by using some kind of encryption on the password.
Encrypting the passwords - The process of transforming (plain text) using an algorithm (cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text). (Encryption - Wikipedia)
Encryption was used long before by militaries and governments to pass on secret information. Nowadays, it is very common for the internet applications to store information in encrypted format. There are a number of ways to achieve encryption on the sensitive information. RockYou could have taken either one of these and saved itself and its users from this attack.
To prevent SQL injection attacks, researchers have proposed a wide range of techniques to address this problem. Following are a few of these techniques which range from best coding practices to fully automated systems which identify SQL injection attacks.
The SQL injection could have avoided by using some defensive coding practices which are listed below.
DEFENSIVE CODING PRACTICES
The major cause of SQL injection attack is insufficient input validation. Vulnerabilities creep into application because application developers focus more on implementing desired functionalities and less on security aspects. Following gives us some of the best practices for preventing SQL injection.
Sanitize the input - SQL injection attack can be performed by injection commands into string or numeric accepting input fields. A simple check of the inputs entered by the user will keep these attacks at bay. If the input field is numeric only, make sure that the user is entering only digits by rejecting any special characters that the user may enter. Always validate user input by testing type, length, format and range. Some of the points to keep in mind while coding to avoid these attacks are: 
Never build SQL statements from user input
Use stored procedures to validate user input.
Never concatenate user input before validation as string concatenation is the primary source for SQL injection.
Whenever there is a possibility, reject all the comment operators.
Encode the input- SQL injections are often accomplished through the use of meta-characters that trick the SQL parser as valid SQL token. While a check can be performed to reject such characters, however it would restrict a non-malicious user's ability to use these characters in case a need occurs. So instead of rejecting the meta characters, they can be encoded and pushed to the database in such a way that an attack would not be possible using these characters.
FUTURE OF SQL INJECTION
Big name security firms such as NGS Software have led the research in SQL Injection attacks, pioneering enumeration and exploitation techniques of all the major databases. As long as poorly coded applications or legacy systems still remain, SQL injection will remain a standard tool in penetration testing and exploit toolkits, much like packet fragmentation and buffer overflows,
Fortunately, as SQL injection attacks has grown in number, the major database vendors began to take notice of it and have begun to evaluate their database code for security purposes. Even The programmers responsible for coding major applications have begun to review user input more closely and incorporate more stringent security techniques into the code, making new versions of their software more resistant to the known forms of SQL injection.
Unfortunately, there are still many doors open to carry out these attacks. New applications whose programmers were unaware of these concerns, legacy applications where software updates come with high money still are vulnerable to these attacks.
Even though we can prevent such attacks from taking place using some defensive approaches, a comprehensive solution is still far into the future. If an effective solution ever exists it must unify technology, people, processes and policies while acknowledging the challenges and problems faced by the organizations.