THE SQL INJECTION ATTACK VECTOR AND

PREVENTATIVE MEASURES
Brix Gomez
Florida State University
bag10@my.fsu.edu
Absr!"
SQL Injection is well-known attack vector for both websites and SQL
databases. A properly executed malicious SQL injection attack SQLIA! could
easily "ive an entity access to databases of hi"h-risk information. Althou"h
SQL Injection has existed since the mid #$%s& it remains a valid vulnerability in
data-driven web applications to this day. 'akin" advanta"e of client-side input
(elds& SQL injection sends SQL commands directly to the tar"et database
resultin" in unauthori)ed access. 'his attack can be used both to "ather data
and to destroy or chan"e it. *ecause of the nature of the data accessed& the
conse+uence level of SQL injections is calculated as considerate to
catastrophic. 'his paper will discuss the speci(c threat of SQL injection and
the preventative measures that can be taken to prevent this type of attack
both within the scope of our team boxes and in the outside world. Some of the
defenses discussed are the enforcement of security principles like Least
,rivile"e& the use of stored procedures& and "eneral data input saniti)ation.
-nforcement of least privile"e is also mentioned as a policy solution.
Additionally& detection via I.S and lo" (le analy)ation will be discussed in the
context of our team project network. A detailed account of attempted
penetration usin" /ali penetration tools such as s+lmap will also be included
alon" with explanations on detection and prevention.
Keywords: IDS(Intrusion Detection System), SQLIA, Least Privilege, SQL Injection,
consequence level, data input sanitization, ali
I#ro$%"io#
SQL injection was first learned about in 199 by !icrosoft em"loyee #ndrew $lato %#ntian&. '(ile wor)ing on an
e*commerce site for t(e tec( giant+ $lato discovered t(at (e (ad t(e ability to inject w(atever SQL statement (e
wanted using cleverly constructed U,Ls. '(en $lato re"orted to (is su"eriors about t(e vulnerability+ it was
initially dismissed as unim"ortant. -(is was .uic)ly "roven foolis( w(en SQL injections started becoming
common"lace in t(e early /0000s. Usually w(en a vulnerability (as been around for over a decade+ it can be "(ased
out wit( u"dated software or enforcement of a certain security "olicy. SQL injection+ (owever+ is a vulnerability t(at
(as "roven to be toug( to defend against. 1ven in larger com"anies li)e F-2.com+ -ravelocity+ and 3uess 4nc.+ SQL
injection (as wor)ed to com"romise t(e (uge amounts of database information )e"t by t(ese entities %5alfond+
6iegas+ 7rso&.
#not(er reason w(y SQL injection (as gained and maintained so muc( traction as an attac) vector is its ease of use.
-(e basics of SQL injection can be learned by basically anyone wit( an internet connection and a day to s"are. 4t is
t(erefore vital to )now t(e "ro"er defenses and "reventative measures re.uired to avoid injection. 7ur web servers
in class are just as vulnerable to SQL4# as any ot(er database*driven web a""lication. $reventative measures for
suc( an attac) are just as easily im"lemented as t(e attac) itself. 'it( sufficient foresig(t+ SQL4# s(ould not be an
issue wit(in t(e conte8t of our team web servers.
Florida State University iSchool 1
SQLIA
THE SQL INJECTION ATTACK VECTOR AND PREVENTATIVE MEASURES
4n t(e 19 years since t(e 7"en 'eb #""lication Security $roject %7'#S$& began trac)ing web a""lication
vulnerabilities+ only injection (as stayed in t(e to" ten t(reats consistently. #ccording to security firm :arclays+
since /001+ 9; "ercent of all data*breac(es were a result of SQL injections. # sim"le mec(anism+ SQL injection
occurs w(en data enters a "rogram from an untrusted source and is used to dynamically construct a SQL
.uery<statement %7'#S$&. -(is direct connection to database information could "rove to be catastro"(ic for any
com"any or entity. -(is in(erently dangerous as"ect of SQL injection in conjunction wit( its ease of use ma)es it
clear w(y it is im"ortant for bot( database designers and security officers ali)e to understand "reventative
tec(ni.ues.
Pre&!ri#' (e I#)e"io#
-(e first ste" in "re"aring to "erform an SQL injection on a target is t(e ma""ing of t(e database itself. #ssessment
of t(e ty"e and version of database is essential to develo"ing effective .ueries as an attac)er. #dditionally+ test
.ueries may be sent to get a feel for t(e sc(ema and layout of t(e database in a "rocess called database
finger"rinting. 7nce a s)illed attac)er (as a general idea of t(e layout of t(e database+ (e is free to ma)e accurate
.ueries for information (e needs to do w(atever (e "leases wit( t(e sensitive data. 7ne met(od of database
finger"rinting is t(e use of illogical and incorrect .ueries. :y sending t(ese flawed re.uests to t(e database+ t(e
resulting answer usually comes in t(e t(e form of an informative error message+ t(ereby giving t(e attac)er even
more information. 1rror messages suc( as t(e one below give out valuable information li)e server version<ty"e and
s"ecific values li)e table and column names.
Figure 1
I#)e"io# Me(o$s
-(e various met(ods of SQL injection attac) truly de"end on t(e intent of t(e malicious entity. 7ne suc( met(od
t(at is used .uite often to by"ass aut(ori=ation measures is t(e tautological attac) %5alfond+ 6iegas+ 7rso&. :y
inserting logical statements into a .uery statement w(ere ot(er valid in"ut o"tions s(ould go %suc( as a table or
column name&+ an attac)er can tric) t(e database into returning data. -a)e t(e sim"le SQL statement s(own in
Figure / used to searc( for an item as an e8am"le>
SELECT * FROM items
WERE o!ner " #$ri%#
A&' I(name " #name# OR #)#"#)#*
Figure / %7'#S$&
2 Florida State University iSchool
SQLIA
:y adding t(e tautological statement 01?10 and t(e 7, command+ t(e attac)er (as made it so t(at t(e '51,1 clause
is always inter"reted to be true. :y ma)ing t(e '51,1 clause irrelevant+ all t(at is left for t(e database to return is
t(e .uery result set of t(e SQL command 0S1L1@- A F,7! items0. 4n t(is s"ecific attac)+ t(e malicious entity (as
successfully by"assed user aut(ori=ation by (aving t(e database list t(e entire contents of t(e 0items0 table w(ic(
includes user information in relation to t(e items. 4n Figure 9+ t(e tautological attac) is being used wit(in t(e conte8t
of a sim"le login screen to s(ow (ow easily a "assword could be ignored if in"ut is not filtered correctly>
Figure 9
#not(er common met(od of attac) is t(e use of stored "rocedures to "erform various breac(es of security li)e
"rivilege escalation and denial of service %5alfond+ 6iegas+ 7rso&. 4njection of stored commands can be just as
dangerous as more customi=ed .ueries. 4n a regular username<"assword in"ut field+ an attac)er could insert t(e
sim"le S5U-27'B command and bring an entire com"any to its )nees. :y esca"ing t(e regular data in"ut
"arameter wit( an a"ostro"(e+ a data in"ut field becomes an 7B<7FF switc( for t(e entire database>
S1L1@- accounts F,7! users '51,1
login?0bri80 #B2 "ass?0 0C S5U-27'BC D #B2 "in?
Figure 9 %5alfond+ 6iegas+ 7rso&
Using t(e a"ostro"(e and t(e commenting c(aracter 0D0+ t(e stored command 0S5U-27'B0 is used to devastating
effect. -(e commenting c(aracters are used to ma)e t(e database believe t(e $4B in"ut is sim"ly a comment. -(is is
an e8am"le of (ow a SQL4# could function as a denial of service attac). :y s(utting down an entire database and
c(anging "rivileges afterward+ a clever attac)er could deny clients access to t(e organi=ation0s services for days.
Using anot(er stored command li)e 02,7$0+ an attac)er could easily dro" database information c(un)s at a time.
-(e "o"ular webcomic 8)cd "ortrays t(is e8am"le in a rat(er creative but accurate way>
E)cd not only (ints at a met(od of attac)+ but also mentions an all*im"ortant "reventative measure used against
SQL4#> data in"ut saniti=ation.
Florida State University iSchool 3
SQLIA
Pre*e#!i*e Me!s%res +or SQLIA
7ne of t(e main issues for security officers in modern organi=ations is t(eir inability to enforce anti*SQL4#
measures. 1ven if a @.S.7. sets u" t(e most strict firewall ruleset and enforces ot(er security "olicies+ if t(eir web
develo"ers do not follow safe and "ro"er coding "ractices+ t(e w(ole system could be vulnerable. -(is is a good
reason for security officers to s"read awareness about t(ese )inds of vulnerabilities so t(at "reviously unaware
develo"ers could begin im"lementing safe coding "rinci"les. -(us+ t(e earliest line of defense is sim"le awareness
and education. '(et(er it be videos+ newsletters+ or informative emails+ awareness is a c(ea" and effective way to
by"ass t(e grave conse.uences of a successful SQL4#.
1nforcement of t(e Least $rivilege "rinci"le is also of t(e utmost im"ortance in sto""ing SQL injections in t(eir
trac)s. 4n ot(er words+ only allow accounts to (ave t(e minimum "rivileges needed to function at t(eir tas). -(ere is
no reason for a student "rofile logging database to (ave 2,7$ "rivileges wit(out being logged into an
administrative account. Li)ewise+ t(e U$2#-1 function s(ould not be allowed on databases dedicated to auditing
actions. -(is would be an easy way for attac)ers to cover t(eir trac)s.
-(e ne8t defense against any sort of data*breac( attac) is secure coding "ractice. #ssume all end*user in"ut is
(ostile %!c2onald&. :lindly trusting users is an easy way to get (urt+ and t(at is e8actly w(at develo"ers are doing
w(en t(ey do not saniti=e user in"ut. 2ata in"ut saniti=ation must be "resent for any sort of web a""lication t(at
receives user*in"utted data. 1very in"ut field must be seen as a "otential "ortal for malicious activity. 7ne fairly
effective met(od of saniti=ation is t(e use of w(itelists. 4n t(e conte8t of SQL4# a blac)list would be too sim"le to
by"ass t(roug( t(e use of meta c(aracters. :ut wit( a customi=ed w(itelist+ a user<attac)er would be forced to in"ut
valid data.
# similar in"ut saniti=ation tec(ni.ue would be t(e use of in"ut ty"e c(ec)ing. 4n t(e case of numeric in"uts li)e a
date of birt( or a $4B+ t(e code could just reject an c(aracters ot(er t(an digits. 1ncoding t(e in"ut field as w(ole
object (as also "roven to be effective. :ecause SQL injection wor)s by inserting SQL to)ens into regular fields+
encoding t(e w(ole in"ut string could sto" t(e server from inter"reting t(ese to)ens as valid .ueries.
SQLIA Lo''i#' !#$ Dee"io#
4n our team networ)s+ our Security7nion bo8 is e.ui""ed wit( t(e B42S %networ) intrusion detection system&
Snorby. Snorby wor)s by monitoring networ) traffic and cross*c(ec)ing t(at traffic against a ruleset built by t(e
user. :y setting u" a ruleset t(at detects for various )nown SQL attac) met(ods+ one could log and trace incoming
SQL injection attem"ts. Logging every instance of certain actions li)e .ueries and "rivilege escalations is one way
to trace t(e attac)s but would only serve to s(ow successful .ueries and not attem"ts. :y in"utting a regular
e8"ression into Snorby t(at detects meta*c(aracters in in"ut fields+ one could detect attem"ts to insert SQL
statements so t(at t(e offender could be traced before "erforming a successful injection. #n e8am"le of one of t(ese
regular e8"ressions is s(own being added to t(e Snorby ruleset in Figure >
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:S!L "n#ect$%n
- Paran%$&' (l%):t%_ser*er+esta,l$s-e&'.r$c%ntent:/p-p'pcre:01)2((134567
(1866((139:67%7(13;:66((135467r7(13<4660$=' classtype:>e,-appl$cat$%n-
attac?' s$&:@A@@' re*:<'6
Figure %Symantec&
-(is rule browses in"ut %s"ecifically from ."(" files in t(is case& to c(ec) for common SQL4# meta*c(aracters and
t(eir (e8adecimal e.uivalents. SQL commands li)e 07,0 and ot(er tautological e8"ressions are also detected.
#lt(oug( our team bo8es do not (ave any data in"ut fields+ t(e "rocess of creating t(e rule was im"ortant to
understand because end*user data in"ut is suc( a common event in web a""lications.
Te!m Pro)e" Ne,or- To&o.o'/ !#$ SQLIA Re.e*!#"e
7ur team networ)s are segmented into five se"arate bo8es+ eac( (aving a function wit(in t(e networ). First is t(e
#"ac(e / 'eb server. -(e web server serves as t(e target for ot(er teams to attac) and t(e "recious cargo for t(e
4 Florida State University iSchool
SQLIA
team t(at owns it. 7ur web server is initially "rotected by t(e default Ubuntu firewall. '(ile t(is may "rotect
against ot(er ty"es of attac)s+ it fails to do anyt(ing to "revent a SQL4#. 2ue to SQL4# functioning over "ort F0+
basic firewalls do not(ing to "rotect databases t(at re.uire internet access.
-(e ne8t com"onent of our networ) is t(e @omodo firewall. 4t is t(e "rimary firewall for t(e system and "rovides
basic defense utilities li)e secure 2BS and a sandbo8 mode. 4f a sus"icious activity is detected by t(e firewall it will
first offer to run t(e sus"icious "rogram in sandbo8 mode+ w(ic( "revents t(e "rogram from ma)ing any "ermanent
c(anges to t(e system. -(is is a very (el"ful tool but ultimately useless in t(e conte8t of our "roject unless anot(er
team sends some sort of malware*infected e8ecutable.
-(e baiting system used in our networ) is a 'indows bo8 e.ui""ed wit( 5oney:ot. 5oney:ot serves as a tra" for
(ac)ers. :y o"ening a large amount of listening "orts and mimic)ing vulnerable services+ t(e 5oney:ot system can
detect and log attem"ts on t(ese fa)e services. 6aluable and incriminating information can be gat(ered from a
5oney:ot system in a real world setting t(at could "otentially sto" an attac)er before any damages are done.
For our networ) 42S we (ave a linu8 system wit( Security7nion 42S installed. -(e Security7nion 7S contains
many defensive security tools. #mong t(ese is t(e offs(oot of Snort+ Snorby. :y "roviding Snorby wit( t(e "ro"er
ruleset+ logging and detection of SQL4# would be a sim"le matter. -(is s"ecific bo8 is w(ere t(e bul) of time is
s"ent in terms of securing and maintaining security of t(e networ). Logs are c(ec)ed every cou"le days to ensure
t(e integrity of t(e networ). 4f any SQL4# were to ta)e "lace+ t(is bo8 would give t(e first indication of suc( an
attem"t.
C.!ss Ne,or- SQLIA Tes
-(e first ste" in t(e attac) "rocess was researc(ing t(e vulnerabilities of 'ord"ress+ a com"any used by millions
worldwide to (ost t(eir websites and blogs. 4n doing t(is researc(+ it became clear t(at word"ress is fairly secure by
itself+ but due to t(e ability to download o"en source "lugins it can be made to be insecure. -(e issue usually comes
bac) to data in"ut validation. # smart develo"er never trusts t(e data in"utted by users. -(e good "eo"le at
'ord"ress (ave made it easier for newer web develo"ers to validate in"ut by adding functions li)e G"re"are%&H t(at
run c(ec)s for illegal c(aracters. # good e8am"le of unsafe code as o""osed to safe code>
$answers = $wpdb->get_answers( "SELECT * FROM $wpdb->arch!e "#ERE $% =
$d" &'
5ere t(e very clear issue is a lac) of validation "resents a large issue. '(en fetc(ing t(e variable for GIidH t(e
database (as no indication as to w(at t(e contents of suc( a variable s(ould contain. -(is flaw in t(e code leaves a
ga"ing (ole for malicious entities to e8"loit. -(e following version of similar code uses t(e G"re"are%&H statement
correctly to add in"ut c(ec)ing to t(e statement>
$answers = $wpdb->get_answers( $wpdb->prepare( "SELECT * FROM $wpdb-
>arch!e "#ERE $% = (d") $d & &'
Sim"le c(ec)s li)e t(is ma)e SQL4#s a fairly mild t(reat. #lt(oug( SQL4# still (as a (ig( number of occurrences+
it is clear t(at t(e "(asing out "rocess (as begun.
#ttem"ting to inject bot( our test bo8 %'eb 2& and ot(er teamHs bo8es turned out to be more difficult t(an was first
imagined.
SQLMAP
SQL!#$ is a "owerful o"en*source SQL4# "enetration testing tool. :y automating t(e normally tedious "rocess of
manually finger"rinting and navigating t(e database+ SQL!#$ ma)es SQL4# muc( more efficient and effective.
Florida State University iSchool 5
SQLIA
Co#".%sio#
-(e amount of damage SQL injection attac)s (ave caused is vast and s(oc)ing. :ut wit( t(e advent of sensitive data
transactions li)e online ban)ing becoming common"lace+ t(ere is more motivation t(an ever to secure systems
against SQL4#. 4n order to "ro"erly streamline various networ)s and data transactions+ a level of trust (as to be
"laced in t(e (olders of t(is sensitive data. :y "romoting safe coding "ractices+ re.uiring in"ut saniti=ation+ and
enforcing common logical security "rinci"les li)e least "rivilege+ t(e t(reat of SQL injection can be (alted and
eliminated. 'it(in our team networ)+ t(e t(reat of an SQL4# is rat(er low due to t(e limited functionality of our
word"ress website. 4f t(e web server were to contain sensitive information (owever+ SQL injection could be
"revented wit( a""ro"riate data saniti=ation and detected using our Security7nion system.
Re+ere#"es
:a)er+ #le8. J1K Lears of SQL 4njection and Still t(e !ost 2angerous 6ulnerability.J RSS. Bets"ar)er+ // #ug.
/019. 'eb. 0K !ar. /01K. M(tt"s><<www.nets"ar)er.com<blog<s.l*injection*vulnerability*(istory<N
!c2onald+ Stuart. JSQL 4njection> !odes of #ttac)+ 2efence+ and '(y 4t !atters.JSans(or+. Sans+ F #"r. /00.
'eb. M(tt"><<www.sans.org<reading*room<w(ite"a"ers<securecode<s.l*injection*modes*attac)*defence*matters*/9N.
5alfond+ 'illiam+ Oeremy 6iegas+ and #lessandro 7rso. J# @lassiPcation of SQL 4njection #ttac)s and
@ountermeasures.J ,atech(ed-. 3eorgia -ec(+ n.d. 'eb.
M(tt"><<www.cc.gatec(.edu<fac<#le8.7rso<"a"ers<(alfond.viegas.orso.4SSS10Q."dfN.
JSQL 4njection.J . OWAS/. B.".+ n.d. 'eb. 0K !ar. /01K. M(tt"s><<www.owas".org<inde8."("<SQLR4njectionN.
JE)cd> 18"loits of a !om.J 01cd2 E%3loits o4 a Mom. B.".+ n.d. 'eb. 0K !ar. /01K. M(tt"s><<8)cd.com<9/;<N.
@urtis+ So"(ie. J:arclays> 9; $ercent of 2ata :reac(es Still 2ue to SQL 4njection.JTechWorld Rss. -ec(world+ 19
Oan. /01/. 'eb. /F Feb. /01K. M(tt"><<news.tec(world.com<security<9991/F9<barclays*9;*"ercent*of*data*
breac(es*still*due*to*s.l*injection<N.
!oo)(ey+ S. S.+ and Biles( :urg(ate. J2etection of SQL 4njection and @ross*site Scri"ting #ttac)s.J End3oint5
Clo-d5 Mo$ile 6 7irt-al Sec-rity Sol-tions. Symantec+ 1Q !ar. /00. 'eb. /; Feb. /01K.
M(tt"><<www.symantec.com<connect<articles<detection*s.l*injection*and*cross*site*scri"ting*attac)sN.
<http://www.red-database-security.com/pictures/sqlinject_tut1.png>
6 Florida State University iSchool