Hey, hey! I’m back with a new info. Here is some info about SQL Injection Attacks, Detection and Prevention tools. Wanna know more? Check this out!
A. Structural Query Language Injection Attack (SQLIA)
SQL Injection is an attack that tries to gain unauthorized access to a database by injecting code and exploiting SQL queries. For example there is a banking website that allows users to enter by entering their username and password. When the user enters a valid username and password, authentication will pass, and the user will be allowed to enter.
The following are the various types of SQLIA that are known to date. For each type of attack, it is given a descriptive name.
Intent Attack: Cut off authentication, identify injection parameters, extract data.
Description: The general purpose of a tautology-based attack is to inject code in one or more conditional statements so that it is always evaluated to be true. The outcome of this attack depends on how the query results are used in the application. The most common use is to bypass the authentication page and extract data.
Illegal / Logically Incorrect Queries
Intent Attack: Identify injection parameters, perform fingerprint database printing, extract data.
Description: This attack allows an attacker to gather important information about the back-end database type and structure of a Web application. The attack was considered the first step, gathering information for other attacks.
Intent of Attack: Cut off Authentication, extract data. Description: In a joint request attack, the attacker exploits a vulnerable parameter to change the data set returned for the given request. With this technique, an attacker can trick an application into flipping data from a different table than intended by the developer.
Intent Attack: Extract data, add or modify data, perform denial of service, execute remote commands.
Description: In this type of attack, the attacker tries to inject additional requests into the original request. In this case, the attacker does not try to modify the request in question; instead, they try to include new and different queries that “support” the original query. As a result, the database accepts several SQL queries.
Intent Attack: Escalates privileges, denies service, executes remote commands.
Description: This type of SQLIA is trying to run a stored procedure in a database. At present, most database vendors send databases with a standard set of stored procedures that expand database functions and allow interaction with the operating system. Therefore, after the attacker determines the backend-database to use, SQLIA can be made to run stored procedures provided by certain databases, including procedures that interact with the operating system.
Attack Intent: Identifies injectable parameters, extracts data, determines database schema.
Description: In this attack, the query is modified to display again in the form of an action that is executed based on answers to true / false questions about the value of data in the database. In this type of intersection, attackers generally try to attack sites that have been safe enough so that, when the injection is successful, no feedback can be used via database error messages. Because database error messages are not available to give attackers feedback, attackers must use different methods to get responses from the database.
Intent Attack: Avoid detection.
Description: In this attack, the injected text was modified to avoid detection by defensive coding practices and also many automated prevention techniques. This type of attack is used in conjunction with other attacks. In other words, alternative encoding does not provide a unique way to attack the application; it’s just a technique that allows an attacker to avoid detection and prevention techniques and exploit vulnerabilities that might not be exploited. These avoidance techniques are often needed because common defensive coding practices are scanning certain known “bad characters”, such as single quotes and comment operators.
B. SQL INJECTION DETECTION AND PREVENTION TOOLS
Although the developers use defensive or hardened OS coding, it is not enough to stop SQLIA from going to a web application so researchers have proposed several tools to help.
– WAVES, a black box technique for testing web applications for SQL injection vulnerabilities. This tool identifies all points of a web application that can be used to inject SQLIA, and builds attacks that target these points and monitors the application for how it responds to attacks by utilizing machine learning.
– JDBC-Checker, not developed with the intent to detect and prevent general SQLIA, but can be used to prevent attacks that exploit mismatch types in dynamically generated query strings.
– CANDID modifies web applications written in Java through program transformation. This tool dynamically mine the request structure that programmers intended on any input and detect attacks by comparing them to the actual request structure that was issued. CANDID’s natural and simple approach is very powerful for detecting SQL injection attacks.
– AMNESIA combines static analysis and runtime monitoring. In the static phase, it builds a model of various types of queries that an application can legally produce at each access point to the database. Queries are intercepted before being sent to the database and checked against statically created models, in a dynamic phase. Requests that violate the model are prevented from accessing the database. The main limitation of this tool is that its success depends on the accuracy of the static analysis to build the query model.
– WebSSARI uses static analysis to check the stain flow against prerequisites for sensitive functions; works based on sanitized input that has passed a series of filters that have been determined. A limitation of the approach is that adequate prerequisites for sensitive functions cannot be expressed accurately so that some filters can be removed.
– SecuriFly is another tool that is implemented for java. Apart from other tools, chase the string instead of character information. SecurityFly tries to clear strmgs requests that have been generated using tainted input but injection in the numeric field cannot be stopped with this approach. The difficulty in identifying all sources of user input is the main limitation of this approach.
– IDS uses the Intrusion Detection System (IDS) to detect SQLIA, based on machine learning techniques. The technique builds a typical query model and then at runtime, queries that don’t match the model will be identified as attacks. This tool detects attacks successfully but depends on serious training. In addition, many false positives and false negatives will be generated.
– SQLPrevent consists of HTTP request interceptors. The original data flow is modified when SQLPrevent is used to the web server. HTTP requests are saved to the current thread-local storage.
Tajpour, A, et al. SQL injection detection and prevention assessment tools. 2010
Halfond, William, et al. A Classification of SQL Injection Attacks and Countermeasures. 2006
Ryder, Evan. SQL Injection Attacks and Countermeasures: a Survey of Website Development Practices. 2010
Mishra, Sonali. SQL Injection Detection Using Machine Learning. 2019