Database systems use different varieties of Structured Query Language (SQL) to administer, query and operate database systems such as Oracle and Microsoft SQL Server. In order to provide dynamic responses to queries, web applications can interact directly with databases in the back end by dynamically building SQL statements. An SQL injection attack is an attack that is aimed at subverting the originally submitted SQL statements by submitting attacker-supplied SQL statements directly to the back end database .
A successful SQL injection attack can have far reaching consequences on both organizations and clients depending on the web application and the data supplied before sending the SQL statement and the negative effects can be felt in various areas including financial, emotional, company brand value etc. For example in the case of a financial institution, successful SQL injection attacks can obtain client’s sensitive and personal information and also make changes to this information.
For example to login to a server page the and password are captured in fields UserName and UserPass. Genuine SQL server code would have the form below:
In some variations of SQL if you insert a “ or “”=” into the statement you can get access to all the s and passwords. The modified code would be
Analyze the emerging technology in the context of broader trends and tendencies in the context of technology and security
The increase of web applications and data driven designs to provide dynamic content has allowed the growth of SQL injection attacks. There are generally five categories or goals of the attacks and these are authentication bypass, information disclosure, compromised data integrity, compromised availability of data, and remote command execution.
In the authentication bypass attack, attackers aim to either obtain application logon information or to bypass the authentication requirements altogether. The information disclosure attack allows attackers to obtain sensitive information for use later on. In the compromised data integrity attack this involves alteration of database contents for fraud purposes while with compromised availability of data the attack allows deletion of information. The last type of attack is remote command execution which enables remote execution of commands on the database.
Preventing SQL injection attacks can involve either not writing dynamic queries or preventing user supplied input containing malicious SQL from affecting the logic of the executed query.
Additional defenses against SQL injection attacks include using parameterized queries, using stored procedures, removing all user supplied input, enforcing least privilege and performing white list input validation . Using prepared statements with parameterized queries allows the database to distinguish between the data and the code, irrespective of user input. Stored procedures are similar to prepared statements and only differ in that the stored procedures are defined and stored in the database then called from the application. Organizations can therefore chose to use either stored procedures or prepared statements. The third option involves escaping user input before putting it into a query. Use of a proper escaping scheme prevents the DBMS from confusing that input with SQL code for example in Oracle you can turn off character replacement or prevent wildcard characters in like clauses. In the least privilege approach, the privileges assigned to database accounts are minimized to reduce risk while white list input validation involves verification of the input before it is passed to the SQL query.
References
CISCO. (2015). Understanding SQL Injection. Retrieved 02 08, 2016, from CISCO: http://www.cisco.com/c/en/us/about/security-center/sql-injection.html
OWASP. (2015, 11 05). SQL Injection Prevention Cheatsheet. Retrieved 02 08, 2016, from https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
