Scribd
Upload
23 views41 pages

03 Sqlia

The document discusses SQL injection attacks, their types, and countermeasures, emphasizing their threat to privacy and financial loss. It outlines various SQL injection methods such as tautologies, union queries, and input sanitization techniques, along with best practices for prevention. Additionally, it highlights the importance of tools like FindBugs for detecting vulnerabilities in source code.

Uploaded by

Muhammad Nadeem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
23 views41 pages

03 Sqlia

The document discusses SQL injection attacks, their types, and countermeasures, emphasizing their threat to privacy and financial loss. It outlines various SQL injection methods such as tautologies, union queries, and input sanitization techniques, along with best practices for prevention. Additionally, it highlights the importance of tools like FindBugs for detecting vulnerabilities in source code.

Uploaded by

Muhammad Nadeem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 41

APPLICATION SECURITY

SQL Injection Attacks:


Working and Countermeasures

Muhammad Nadeem
[email protected]
SQL INJECTION ATTACK
User ID Administrator

Password abc

Select * from users where userID= ‘ ’ and password = ‘ ’

User ID Administrator

Password xxx ’ OR ‘a’=‘a

Select * from users where userID= ‘ ’ and password = ‘ ’

06/15/2025 Application Security 2


CONTENTS…

• Introduction
• Types of SQL injection attacks
• How to counter SQLIA
• Tool Demo: FindBugs®
• Best practices
• Q&A

06/15/2025 Application Security 3


INTRODUCTION

06/15/2025 Application Security 4


INTRODUCTION

SQL injection attacks are most dangerous

They are threat to privacy

They cause financial loss

Perfect solution does not exist

06/15/2025 Application Security 5


OWASP TOP 10 VULNERABILITIES
2004 Top 10 2007 Top 10 2010 Top 10 2013 Top 10 2016 Top 10
A1 Unvalidated Input A1 Cross Site Scripting A1: Injection A1 Injection A1 Injection
A2 Injection Flaws A2: Cross-Site Scripting A2 Broken Auth. and A2 Broken Auth. and
A2 Broken Access
A3 Malicious File Exec. A3: Broken Auth. and Session Management Session Management
Control
A4 Insecure Direct Object Session Management A3 Cross-Site Scripting A3 Cross-Site Scripting
A3 Broken Auth. and A4 Insecure Direct Object
Session Management Reference A4: Insecure Direct Object A4 Broken Access Control
References References
A5 Cross Site Request A5 Security
A4 Cross Site Scripting A5 Security
Forgery (CSRF) A5: Cross-Site Request Misconfiguration
A5 Buffer Overflow Misconfiguration
A6 Information Leakage Forgery (CSRF) A6 Sensitive Data
A6 Injection Flaws and Improper Error A6 Sensitive Data Exposure
A6: Security Exposure
A7 Improper Error Handling Misconfiguration A7 Missing Function Level
Access Control A7 Insufficient attack
Handling A7 Broken Auth. and A7: Insecure protection
Session Management A8 Cross-Site Request
A8 Insecure Storage Cryptographic Storage A8 Cross-Site Request
Forgery (CSRF)
A9 Application Denial of A8 - Insecure A8: Failure to Restrict URL Forgery (CSRF)
A9 Using Components with
Cryptographic Storage Access
Service Known Vulnerabilities A9 Using Components
A9 - Insecure A9: Insufficient Transport
A10 Insecure A10 Unvalidated Redirects with Known
Communications Layer Protection
Configuration and Forwards Vulnerabilities
A10 - Failure to Restrict A10: Unvalidated
Management A10 Unprotected APIs
URL Access Redirects and Forwards
Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

06/15/2025 Application Security 6


OWASP TOP 10 VULNERABILITIES
2010 Top 10 2013 Top 10 2016 Top 10 2020 Top 10
A1: Injection A1 Injection A1 Injection A1 Injection
A2: Cross-Site Scripting A2 Broken Auth. and A2 Broken Auth. and A2 Broken Authentication
A3: Broken Auth. and Session Management Session Management A3 Sensitive Data
Session Management A3 Cross-Site Scripting A3 Cross-Site Scripting Exposure
A4: Insecure Direct Object A4 Insecure Direct Object A4 XML External Entities
A4 Broken Access Control
References References (XXE)
A5 Security
A5 Security
A5: Cross-Site Request Misconfiguration A5 Broken Access control
Misconfiguration
Forgery (CSRF) A6 Sensitive Data A6 Security
A6 Sensitive Data Exposure
A6: Security Exposure misconfigurations
Misconfiguration A7 Missing Function Level
Access Control A7 Insufficient attack A7 Cross Site Scripting
A7: Insecure protection (XSS)
A8 Cross-Site Request
Cryptographic Storage A8 Cross-Site Request A8 Insecure
Forgery (CSRF)
A8: Failure to Restrict URL A9 Using Components with Forgery (CSRF) Deserialization
Access Known Vulnerabilities A9 Using Components
A9 Using Components
A9: Insufficient Transport A10 Unvalidated Redirects with Known with known
Layer Protection and Forwards Vulnerabilities vulnerabilities
A10: Unvalidated A10 Unprotected APIs A10 Insufficient logging
Redirects and Forwards and monitoring
Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

06/15/2025 Application Security 7


INTRODUCTION
• One of the earliest SQL Injection attack: Feb 2002
o On Guess.com customers database
o Permitting attacker to pull down 200,000+ names, credit card numbers and expiration dates
by a properly-crafted URL

• 7% of the total reported incidents caused by SQL Injections (nvd.nist.gov, 2011)

• According to Wikipedia: 71 SQL Injection attacks attempted every hour (2013)

06/15/2025 Application Security 8


INTRODUCTION: RECENT INCIDENTS

• August 17, 2009, United States Department of Justice charged three suspects with
the theft of 130 million credit card numbers using SQL injection attack (Considered
“the biggest”)

• April 13, 2008, Oklahoma, 10,597 Social Security numbers were downloaded via an
SQL injection attack

• January 13, 2006, computer criminals broke into a Rhode Island government web
site and stole credit card data of individuals who have done business with state
agencies

06/15/2025 Application Security 9


~136,000 vulnerable
components

06/15/2025 Application Security 10


~9,000 SQL Injection Vuln.

06/15/2025 Application Security 11


06/15/2025 Application Security 12
SQL INJECTION VULNERABILITIES REPORTED
1515

1112

713 684
648
588

273
206 175
159 160 123 144
99
50 56
2 7
2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017
Source: Common Vulnerabilities and Exposures (CVE) repository
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SQL+injection

06/15/2025 Application Security 13


TYPES OF SQL INJECTION ATTACKS

06/15/2025 Application Security 14


TYPES OF SQL INJECTION ATTACKS

Tautologies

Select * from users where userID= ‘’ and password= ‘’ OR 1=1 – –’

06/15/2025 Application Security 15


TYPES OF SQL INJECTION ATTACKS

Union
Queries

Select * from users where userID= ‘’ and password= ‘’ UNION select


CARDNO from CREDITCARDS – –’

06/15/2025 Application Security 16


TYPES OF SQL INJECTION ATTACKS

Piggybacked
Queries

Select * from users where userID= ‘’ and password= ‘’; Drop table
users – –’

06/15/2025 Application Security 17


TYPES OF SQL INJECTION ATTACKS

Stored
Procedures

Create procedure SP_ProductSearch @prodname varchar(400) = NULL


AS Declare @sql nvarchar(4000) SELECT @sql = ' select ProductID, …

06/15/2025 Application Security 18


TYPES OF SQL INJECTION ATTACKS

Malformed
Queries

Take advantage of overly descriptive error messages


when an erroneous query is sent for execution

06/15/2025 Application Security 19


TYPES OF SQL INJECTION ATTACKS

Alternate
encoding

Hex: 3b2044726f70207461626c6520757365727320962d92
Equivalent: ; Drop table users – –’

06/15/2025 Application Security 20


TYPES OF SQL INJECTION ATTACKS

Inference

Attacker runs series of tests which evaluate to true or false


hence giving the insight of the database

06/15/2025 Application Security 21


HOW TO COUNTER SQL INJECTION ATTACKS?

06/15/2025 Application Security 22


DESIGN VS. RUNTIME APPROACHES
Design time
approaches
Used before a system is put into the execution mode

Runtime
approaches Used when the system in the execution mode
(real time vs. post attack)

Hybrid
approaches
Have both the design time and runtime components

06/15/2025 Application Security 23


DISCUSSION ON DIFFERENT APPROACHES
• Keyword randomization approach
• Signature based approach
• Input sanitization-based approach

06/15/2025 Application Security 24


KEYWORD RANDOMIZATION
• A secret word for every SQL keyword:

Select  secret01
*  secret02
From  secret03
Where  secret04
=  secret05
and  secret06
‘  secret07

06/15/2025 Application Security 25
KEYWORD RANDOMIZATION
User ID Administrator

Password abc

Select * from users where userID =‘ ’ and password = ‘ ’

sec01 sec02 sec03 users sec04 userID sec05 sec07 sec07 sec06 password sec05 sec07 sec07

Select * from users where userID =‘administrator’ and password = ‘abc’

06/15/2025 Application Security 26


KEYWORD RANDOMIZATION

User ID Administrator

Password none’ OR 1=1 --

sec01 sec02 sec03 users sec04 userID sec05 sec07 sec07 sec06 password sec05 sec07 sec07

Illegal keywords/
characters

06/15/2025 Application Security 27


LIMITATIONS OF KEYWORD RANDOMIZATION

• List of secret words may be compromised


• The keywords such as OR, AND, SELECT, and FROM etc. may appear in
user input

06/15/2025 Application Security 28


STORING QUERY SIGNATURE

Create signatures for all legitimate queries at design time.


Validate all queries at runtime.

Queries Queries Signature


Signature Query
extracted from (at runtime) calculator
calculator Signature
program source

Query
Accept Compare
Signature

DESIGN TIME RUN TIME Reject

06/15/2025 Application Security 29


LIMITATIONS OF SIGNATURE BASED APPROACH

• Overhead to compare every query at runtime


• May restrict the flexibility

06/15/2025 Application Security 30


INPUT SANITIZATION

06/15/2025 Application Security 31


INPUT SANITIZATION

• Sanitize the following


Select * from products where prID=23; Drdeleteop tadropble products

Select * from products where prID=23; Drop table products

Input sanitization might not always work!

06/15/2025 Application Security 32


How to detect SQL injection vulnerability in your source
code?
DEMO…

06/15/2025 Application Security 33


DEMO: FINDBUGS

• Version 3.0.1
• Open source static code analysis tool
• Scans Java code
• Finds different type of vulnerabilities including SQL injection
vulnerability
• http://findbugs.sourceforge.net/downloads.html

06/15/2025
Application Security 34
FALSE POSITIVES / FALSE NEGATIVES
Code repository
V1 V4 V1

V2
V1
V3 V3
V3 Vx Example of False Positive

V4 V2 Example of False Negative


……


Static analysis
Vn

Vx

V4 Vn

Application Security 35
FALSE POSITIVES / FALSE NEGATIVES

• Almost all the tools generate false positive and false negative results

• False Positive
– A false alarm for a vulnerability when it is actually not there

• False negative
– No alarm for a vulnerability when it actually exists in the code

06/15/2025 Application Security 36


LIST OF VULNERABILITY SCANNING TOOLS…

06/15/2025 Application Security 37


06/15/2025 Application Security 38
HUNTING FOR VULNERABILITIES

06/15/2025 Application Security 39


HUNTING VULNERABILITIES
• Reconnaissance
• Build Vulnerability Hypothesis
– (e.g., I got this form, I think I can inject code)
• Test Hypothesis
• Develop Exploit
• Profit (bounty)/ Protect the World

06/15/2025 Application Security 40


APPLICATION SECURITY

[email protected]
06/15/2025 Application Security 41

You might also like