termpaper
DESCRIPTION
SQL injection preventionTRANSCRIPT
1
Detection Technique of SQL Injection Attack
ABSTRACT
The use of web application has become increasingly popular in our routine activities, such as
reading the news, paying bills, reservation, shopping on-line etc. When we are making
reservations, paying bills, and shopping on-line, we expect these web applications to be secure
and reliable. However, as the availability of these services has increased, there has been a
corresponding increase in the number and sophistication of attacks that target them. One of the
most serious types of attack against web applications is SQL injection. SQL injection is a class
of code-injection attacks in which user input is included in a SQL query in such a way that part
of the input is treated as code. Using SQL injection, attackers can leak confidential information,
such as credit card numbers, from web applications’ databases and even corrupt the database.
To prevent this SQL-injection attacks (SQLIAs) various methods and tools has been developed.
It has been studied that AMNESIA (Analysis and Monitoring for NEutralizing SQL-Injection
Attacks) is a very popular tool to counter the SQL injection. The technique combines
conservative static analysis and runtime monitoring to detect and stop illegal queries before
they are executed on the database. In its static part, the technique builds a conservative model
of the legitimate queries that could be generated by the application. In its dynamic part, the
technique inspects the dynamically generated queries for compliance with the statically-built
model.
1. INTRODUCTION
Database-driven web applications have become widely deployed on the Internet, and
organizations use them to provide a broad range of services to their customers. These
applications, and their underlying databases, often contain confidential, or even sensitive,
information, such as customer and financial records. This information can be highly valuable
and makes web application an ideal target for attacks. In fact, in recent years there has been an
increase in at tacks against these online databases. One type of attacks in particular, SQL-
Injection Attacks (SQLIAs), is especially harmful. SQLIAs can give attackers direct access to
the underlying databases of a web application and, with that, the power to leak, modify, or even
delete information that is stored on them. Recently, there have been many SQLIAs with serious
2
consequences, and the list of victims of such attacks includes high-profile companies and
associations, such as Travelocity, FTD.com, Creditcards.com, Tower Records, and RIAA.
Even more alarming is a study performed by the Gartner Group on over 300 web sites, which
reported that 97% of the sites audited were found vulnerable to this kind of web attacks. In fact,
SQLIAs have been described as one of the most serious threats to web applications.
The root cause of SQLIAs is insufficient input validation. SQLIAs occur when data provided
by a user is not properly validated and is included directly in a SQL query. By leveraging
inadequate input validation, an attacker can submit input with embedded SQL commands
directly to the database. This kind of vulnerability represents a serious threat to any web
application that reads inputs from the user (e.g., through web forms or through web APIs) and
makes SQL queries to an underlying database using these inputs. Most web applications used
by corporations and government agencies work this way and could therefore be vulnerable to
SQL-injection attacks.
Although the vulnerabilities that lead to SQLIAs are well understood, SQL injection continues
to be a problem due to a lack of effective techniques for detecting and preventing it.
Programming practices such as defensive programming and sophisticated input validation
techniques can prevent some vulnerabilities. However, attackers continue to find new exploits
that can avoid the checks programmers put in place. Moreover, defensive programming is
labor-intensive, which makes it an impractical technique for protecting large legacy systems.
General tools such as firewalls and current Intrusion Detection Systems (IDSs) are also
typically ineffective against SQLIAs—SQLIAs are performed through ports used for regular
web traffic (usually open in firewalls) and work at the application level (unlike most IDSs).
SQLIAs are performed through ports used for regular web traffic, which are usually open in
firewalls, and work at the application layer, whereas most IDSs tend to focus on the network
and IP layers. Finally, most analysis based techniques for vulnerability detection do not address
the specific characteristics of SQLIAs and are thus ineffective in this context. The few analysis
techniques specifically designed to target SQLIAs provide only partial solutions to the
problem.
In particular, dynamic techniques, such as penetration testing, introduce issues of completeness
and often result in false negatives being produced, whereas techniques based on static analysis
are either too imprecise or only focus on a specific aspect of the problem.
3
AMNESIA is a novel technique for the detection and prevention of SQLIAs. This technique
consists of a model-based approach specifically designed to target SQLIAs and combines
conservative static analysis and runtime monitoring. The key intuition behind our technique is
twofold: (1) the information needed to predict the possible structure of the queries generated
by a web application is contained within the application’s code; (2) an SQLIA, by injecting
additional SQL statements into a query, would violate that structure. Our technique consists of
two phases. In the static phase, the technique leverages an existing, conservative string analysis
[5, 9] to analyze the web-application code and automatically build a conservative model of the
legitimate queries that could be generated by the application. In the dynamic phase the
technique monitors all dynamically-generated queries at runtime and checks them for
compliance with the statically-generated model. When the technique detects a query that
violates the model, it classifies the query as an attack, prevents it from accessing the database,
and reports information on the characteristics of the attack.
In section 2 dynamic query generation is illustrated. An overview of information security is
illustrated in section 3. In section 4 SQL injection and its techniques are discussed. Related
works are discussed in section 5. The specified tool AMNESIA is illustrated is section 6.
Conclusion, future work, and references are provided in section 7.
2. Dynamic Query Generation
A dynamic SQL statement is constructed at execution time, for which different conditions
generate different SQL statements. It can be useful to construct these statements dynamically
when you need to decide at run time what fields to bring back from SELECT statements; the
different criteria for your queries; and perhaps different tables to query based on different
conditions. These SQL strings are not parsed for errors because they are generated at execution
time, and they may introduce security vulnerabilities into your database.
There are two ways to execute dynamic SQL in SQL Server: use the sp_executesql system
stored procedure or the EXECUTE() operator. Sometimes the two methods can produce the
same result, but there are differences in how they behave. The system stored procedure
sp_executesql allows for parameters to be passed into and out of the dynamic SQL statement,
whereas EXECUTE() does not. Because the SQL statement is passed into the sp_executesql
4
stored procedure as a parameter, it is less susceptible to SQL-injection attacks than
EXECUTE(). Since sp_executesql is a stored procedure, passing SQL strings to it results in a
higher chance that the SQL string will remain cached, which should lead to better performance
when the same SQL statement is executed again. In my opinion, sp_executesql results in code
that is a lot cleaner and easier to read and maintain. These reasons are why sp_executesql is the
preferred way to execute dynamic SQL statements.
3. Overview of Information Security
Computer security is a branch of technology known as information security, applied to
computers. Information security is based on the general concept of the protection of data
against unauthorized access. The objective of computer security varies and can include
protection of information from theft or corruption, or the preservation of availability, as defined
in the security policy. Computer security is the process of preventing and detecting
unauthorized use of your computer. Prevention measures help you prevent unauthorized users,
also known as intruders", from accessing any part of your computer system. Detection helps
you to determine whether or not someone attempted to break into your system, whether or not
the breach was successful, and the extent of the damage that may have been done. This makes
computer security particularly challenging because it is difficult enough just to ensure that
computer programs do everything they are designed to do correctly. Nowadays most
information in the world is processed through computer systems, so it is common to use the
term information security to also denote computer security. This is quite a common mistake:
in fact, academically, the definition of information security includes all the processes of
handling and storing information. Information can be printed on paper, stored electronically,
transmitted by post or by using electronic means, shown on films, or spoken in conversation.
5
3.1 The C.I.A. Paradigm
Information security has held that confidentiality, integrity and availability, known as the
C.I.A. paradigm are the core principles of information security.
Confidentiality is the ability of a system to make its resources accessible only to the parties
authorized to access them. Confidentiality is the property of preventing disclosure of
information to unauthorized individuals or systems. For example, a credit card transaction on
the Internet requires the credit card number to be transmitted from the buyer to the merchant
and from the merchant to a transaction processing network. The system attempts to enforce
confidentiality by encrypting the card number during transmission, by limiting the places where
it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting
access to the places where it is stored. If an unauthorized party obtains the card number in any
way, a breach of confidentiality has occurred. Confidentiality is necessary, but not sufficient
for maintaining the privacy of the people whose personal information a system
Integrity is the ability of a system to allow only authorized parties to modify its resources and
data, and only in authorized methods which are consistent with the functions performed by the
system. Integrity means that data cannot be modified without authorization. Integrity is
violated, for example, when someone accidentally or with malicious intent deletes important
data _les, when a computer virus infects a computer, when an employee is able to modify his
own salary on a payroll database, when an unauthorized user vandalizes a web site, when
someone is able to cast a very large number of votes in an online poll, and so on.
Availability is the important property that a rightful request to access information must never
be denied, and must be satisfied in a timely manner. In other words, for any information system
to serve its purpose, the information must be available when it is needed. Ensuring availability
also involves preventing denial-of-service attacks. Sometimes other goals have been added to
the C.I.A. paradigm, such as authenticity, accountability, non-repudiation, safety and
reliability. However, the general consensus is that these are either a consequence of the three
core concepts defined above, or a means to attain them.
6
3.2 The A.A.A. Architecture
In software engineering terms, we could say that the C.I.A. paradigm belongs to the world of
requirements, stating the high-level goals related with security of information. The A.A.A.
architecture and components are specifications of a software and hardware system architecture
which strives to implement those requirements. Then, of course, security systems are the real
world implementations of these specifications. In computer security A.A.A. stands for
Authentication, Authorization and Accounting [4]. These are the three basic issues that are
encountered frequently in many network services where their functionality is frequently
needed. Examples of these services are dial-in access to the Internet, electronic commerce,
Internet printing, and Mobile IP. Typically, authentication, authorization, and accounting are
more or less dependent on each other. However, separate protocols are used to achieve the
A.A.A. functionality.
Authentication: refers to the process of establishing the digital identity of one entity to another
entity. Commonly one entity is a client and the other entity is a server. Authentication is
accomplished via the presentation of an identity and its corresponding credentials. Examples
of types of credentials are passwords, one-time tokens and digital certificates. So authentication
is a security measure designed to establish the validity of a transmission, message, or originator,
or a means of verifying an individual's eligibility to receive specific categories of information.
Authorization: access rights granted to a user, program, or process. It refers to the granting of
specific types of privileges (or not privilege) to an entity or a user, based on their authentication,
what privileges they are requesting, and the current system state. Authorization may be based
on restrictions, for example time-of-day restrictions or physical location restrictions. Most of
the time the granting of a privilege constitutes the ability to use a certain type of service.
Examples of types of service include, but are not limited to: IP address filtering, address
assignment, route assignment and encryption.
Accounting: refers to the tracking of the consumption of network resources by users. This
information may be used for management, planning, billing, or other purposes. Real time
accounting refers to accounting information that is delivered concurrently with the
consumption of the resources. Batch accounting refers to accounting information that is saved
until it is delivered at a later time. Typical information that is gathered in accounting is the
identity of the user, the nature of the service delivered, when the service began, and when it
ended.
7
3.3 Vulnerabilities, Risks and Threats
There is the need of some other formal definitions and practical observations related to the
world of computer security. This will outline better concepts and main actors that play an
important role in computer security and differentiate one from the other.
Risk: combination of the likelihood of an event and its impact.
Threat: a series of events through which a natural or intelligent adversary (or set of
adversaries) could use the system in an unauthorized way to cause harm, such as compromising
confidentiality, integrity, or availability of the systems information.
Vulnerability: if computer security is applied to a weakness in a system which allows an
attacker to violate the integrity of that system. This weakness of an asset or group of assets can
be exploited by one or more threats. Vulnerabilities may result from different reasons such as
weak passwords, software bugs, a computer virus, other malware, script code injection or a
SQL injection.
4. SQL Injection
SQL injection is a code injection technique, used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution (e.g. to dump the
database contents to the attacker). It is a technique that exploits a security vulnerability
occurring in the database layer of an application. The vulnerability is present when user input
is either incorrectly filtered for string literal escape characters embedded in SQL statements or
user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of
a more general class of vulnerabilities that can occur whenever one programming or scripting
language is embedded inside another.
4.1 How SQL Injection Attacks (SQLIAs) Work
SQL injection refers to a class of code-injection attacks in which data provided by the user is
included in the SQL query in such a way that part of the user’s input is treated as SQL code. It
is a trick to inject SQL query or command as an input possibly via the web pages. They occur
when data provided by user is not properly validated and is included directly in a SQL query.
By leveraging these vulnerabilities, an attacker can submit SQL commands directly access to
the database.
8
There are two major SQL Injection techniques:
i) access through login page or user input and
ii) Access through URL.
The first technique is the easiest in which it bypasses the login forms where users are
authenticated by using passwords. This kind of technique can be performed by the attackers
through: „or‟ condition, „having‟ clause, multiple queries and extended stored procedure.
Example:
Server Code:
UserId:
Server Result :
Another example of SQL Injection Based on Batched SQL Statements :
Server Code:
User id:
Result:
The second technique can be performed by the attackers through: manipulating the query string
in URL and using the SELECT and UNION statements.
104 or 1=1
txtUserId=getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
SELECT * FROM Users WHERE UserId = 105 or 1=1
txtUserId=getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
105; DROP TABLE Suppliers
SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers
9
When a user enters the following URL:
http://www.mydomain.com/products/products.asp?productid=123
The corresponding SQL query is executed:
SELECT ProductName, ProductDescription FROM Products WHERE ProductNumber
= 123
An attacker may abuse the fact that the ProductID parameter is passed to the database without
sufficient validation. The attacker can manipulate the parameter's value to build malicious SQL
statements. For example, setting the value [123 OR 1=1] to the ProductID variable results in
the following URL:
http://www.mydomain.com/products/products.asp?productid=123 or 1=1
The corresponding SQL Statement is:
SELECT ProductName, Product Description From Products WHERE ProductNumber
= 123 OR 1=1
4.2 Consequences of SQL Injections Attacks
With SQL injections, cyber-criminals can take complete remote control of the database, with
the consequence that they can become able to manipulate the database to do anything they
wish, including:
Insert a command to get access to all account details in a system, including user names
and retrieve VNC passwords from registry
Shut down a database
Upload files
Through reverse lookup, gather IP addresses and attack those computers with an
injection attack
Corrupting, deleting or changing files and interact with the OS, reading and writing
files
Online shoplifting e.g. changing the price of a product or service, so that the cost is
negligible or free
Insert a bogus name and credit card in to a system to scam it at a later date
10
Delete the database and all its contents
91% of database attacks lead to financial loss [11], but the financial impact can be dwarfed
be the long-term damage to an organizations reputation. In fact, research by Ipsos MORI
at march 2007 revealed that 58% of consumers would stop using an organizations services
following a security breach involving their personal data.
4.3 Classification of SQLIA Techniques
An SQL injection attack has a set of properties, such as assets under threat, vulnerabilities being
exploited and attack techniques utilized by threat agents. The detail feature set of every
property in the SQL injection attack model is identified in this section.
Attack Intention
When a threat agent utilizes a crafted malicious SQL input to launch an attack, the attack
intention is the goal that the threat agent tries to achieve once the attack has been successfully
executed.
Identifying Inject-able Parameters: Inject-able parameters are the parameters or the user
input fields of the Web applications directly used by server-side program logic to construct
SQL statements, which are vulnerable to SQLIA. In order to launch a successful attack, a threat
agent must first discover which parameters are vulnerable to SQL injection attack.
Performing database finger-printing: Database finger-print is the information that identifies
a specific type and version of database system. Every database system employs a different
proprietary SQL language dialect. For example, the SQL language employed by Microsoft
SQL server is T-SQL while Oracle SQL server uses PL/SQL. In order for an attack to be
succeeded, the attacker must first find out the type of and version of database deployed by a
web application, and then craft malicious SQL input accordingly.
Determining database schema: Database schema is the structure of the database system. The
schema defines the tables, the fields in each table, and the relationships between fields and
tables. Database schema is used by threat agents to compose a correct subsequent attack in
order to extract or modify data from database.
Bypassing Authentication: Authentication is a mechanism employed by web application to
assert whether a user is who he/she claimed to be. Matching a user name and a password stored
11
in the database is the most common authentication mechanism for web applications. Bypassing
authentication enables an attacker to impersonate another application user to gain un-
authorized access.
Extracting Data: In most of the cases, data used by web applications are highly sensitive and
desirable to threat agents. Attacks with intention of extracting data are the most common type
of SQL injection attacks.
Adding or Modifying Data: Database modification provides a variety of gains for a threat
agent, for instance, a hacker can pay much less for an online purchase by altering the price of
a product in the database. Or, the threads in an online discussion forum can be modified by an
attacker to launch subsequent Cross-Site-Scripting attacks.
Performing denial of service: These attacks are performed to shut down the database of a
Web application, thus denying service to other users. Attacks involving locking or dropping
database tables also fall under this category.
Evading detection: This category refers to certain attack techniques that are employed to avoid
auditing and detection by system protection mechanisms.
Executing Remote Commands: Remote commands are executable code resident on the
compromised database server. Remote command execution allows an attacker to run arbitrary
programs on the server. Attacks with this type of intention could cause entire internal networks
being compromised.
Performing privilege escalation: Privileges are described in a set of rights or permissions
associated with users. Privilege escalation allows an attacker to gain unauthorized access to a
particular asset by associating a higher privilege set of rights with a current user or impersonate
a user who has higher privilege.
Downloading File: Downloading files from a compromised database server enable an attacker
to view file content stored on the server. If the target web application resides on the same host,
sensitive data such as configuration information and source code will be disclosed too.
Uploading File: Uploading files to a compromised database server enable an attacker to store
any malicious code onto the server. The malicious code could be a Trojan, a back door or a
worm that can be used by an attacker to launch subsequence attack.
12
Assets
Assets are information or data an unauthorized threat agent attempt to gain.
Database Server Fingerprint: The database server fingerprint contains information about the
database system in use. It identifies the specific type and version of the database, as well as the
corresponding SQL language dialect. A compromise of this asset may allow attackers to
construct malicious code specifically for the SQL language dialect in question.
Database Schema: The database schema describes the internal architecture of server. Database
structure information such as table names, size, and relationships are defined in the database
schema. Keeping this asset private is essential in keeping the confidentiality and integrity of
the database data. A compromise in the database schema may allow attackers to know the exact
structure of the database, including table, row, and column headings.
Database Data: The database data is the most crucial asset in any database system. It contains
the information in the tables described in the database schema, such as prices in an online store,
personal information of clients, administrator passwords, etc. A compromise in the database
data will usually result in failure of the system’s intended functionality, thus, its confidentiality
and integrity must be protected.
Host: A host is a discrete node in any network, usually uniquely defined with an IP address. It
may have various privileges in a network and may be a database server or a regular computer
terminal.
Network: A network interconnects numerous hosts together and allows communication
between them. A compromise in a network will most likely compromise every host in the
network. Some networks may also be interconnected with other networks, furthering the
potential damage, should an attack be successful.
Vulnerabilities
Insufficient Input Validation: Input validation is an attempt to verify or filter any given input
for malicious behavior. Insufficient input validation will allow code to be executed without
proper verification of its intention. Attackers taking advantage of insufficient input validation
can utilize malicious code to conduct attacks.
Privileged Account: A privileged account has a degree of freedom to do what normal accounts
cannot. Its actions may also be exempt from auditing and validation. This presents vulnerability
13
since a jeopardized privileged account, such as an administrator account, can compromise
much more than what a jeopardized regular account can.
Extra Functionality: Extra functionalities meant to provide a broader range of vulnerability,
since combinations of this functionality may result in unintended actions. For example,
xp_cmdshell is meant to provide users with a way of executing operating system commands,
but commonly used to added unauthorized users into the operating system.
4.4 Methodology for a Successful SQLIA
Attack techniques are the specific means by which a threat agent carries out attacks using
malicious code. Threat agents may use many different methods to achieve their goals, often
combining several of these sequentially or employing them in different varieties.
Attacks Techniques
Tautology: The general goal of a tautology-based attack is to inject code in one or more
conditional statements so that they always evaluate to true. The consequences of this attack
depend on how the results of the query are used within the application. The most common
usages are to bypass authentication pages and extract data. In this type of injection, an attacker
exploits an inject-able field that is used in a query’s WHERE conditional. Transforming the
conditional into a tautology causes all of the rows in the database table targeted by the query
to be returned. In general, for a tautology-based attack to work, an attacker must consider not
only the inject-able/vulnerable parameters, but also the coding constructs that evaluate the
query results. Typically, the attack is successful when the code either displays all of the
returned records or performs some action if at least one record is returned.
Example: In this example attack, an attacker submits [ ‟ or 1=1 - - ] for the user name input
field (the input submitted for the other fields is irrelevant). The resulting query is:
SELECT status FROM users WHERE user_name=’’ or 1=1 – AND city= ‘ ‘
The code injected in the condition [OR 1=1] transforms the entire WHERE clause into a
tautology. The database uses the conditional as the basis for evaluating each row and deciding
which ones to return to the application. Because the conditional is a tautology, the query
evaluates to true for each row in the table and returns all of them.
14
End of Line Comment: After injecting code into a particular field, legitimate code that follows
are nullified through usage of end of line comments. An example would be to add [- -] after
inputs so that remaining queries are not treated as executable code, but comments. This is useful
since threat agents may not always know the syntax or fields in the server.
Example: In this example attack, an attacker submits [admin'--] for the user_name input field
(the input submitted for the other fields is irrelevant). The resulting query is:
SELECT * FROM user WHERE username = 'admin'--' AND password = ‘’
The code injected in the condition [admin‟-] transform the WHERE clause in that way it is
going to log the attacker as admin user if there is a user name called “admin”, because rest of
the SQL query will be ignored.
Illegal/Logically Incorrect Query: This attack lets an attacker gather important information
about the type and structure of the back-end database of a Web application. The attack is
considered a preliminary, information gathering step for other attacks. The vulnerability
leveraged by this attack is that the default error page returned by application servers is often
overly descriptive. In fact, the simple fact that an error messages is generated can often reveal
vulnerable/inject-able parameters to an attacker. Additional error information, originally
intended to help programmers debug their applications, further helps attackers gain information
about the schema of the back-end database. When performing this attack, an attacker tries to
inject statements that cause a syntax, type conversion, or logical error into the database. Syntax
errors can be used to identify inject-able parameters. Type errors can be used to deduce the
data types of certain columns or to extract data. Logical errors often reveal the names of the
tables and columns that caused the error.
Example: This example attack’s goal is to cause a type conversion error that can reveal relevant
data. To do this, the attacker injects the following text
[ UNION SELECT TOP 1 COLUMN_NAME FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'-- ]
into the following URL:
http://www.mydomain.com/products/products.asp?productid=123
15
The resulting query is:
http://www.mydomain.com/products/products.asp?productid=123 UNION SELECT
TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME='admin_login'—
The injected query extracts the 1st column name of „admin_login table from the
information_schema database (assume the application is using Microsoft SQL Server). The
query then converts the table name into an integer but this is not a legal type conversion, the
database throws an error. For Microsoft SQL Server, the error would be:
” Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_id' to a column of data type int./index.asp, line 5”
There are two useful pieces of information in this message that aid an attacker. First, the
attacker can see that the database is an SQL Server database, as the error message explicitly
states this fact. Second, the error message reveals the value of the string that caused the type
conversion to occur. In this case, this value is also the name of the first column name of
„admin_login‟ table in the database: “login_id.” A similar strategy can be used to
systematically extract the name and type of each column in the database. Using this information
about the schema of the database, an attacker can then create further attacks that target specific
pieces of information.
Union Query: In union-query attacks, an attacker exploits a vulnerable parameter to change
the data set returned for a given query. With this technique, an attacker can trick the application
into returning data from a table different from the one that was intended by the developer.
Attackers do this by injecting a statement of the form: UNION SELECT <rest of injected
query>. Because the attackers completely control the second/injected query, they can use that
query to retrieve information from a specified table. The result of this attack is that the database
returns a dataset that is the union of the results of the original first query and the results of the
injected second query.
16
Example: Referring to the running example, an attacker could inject the text
[‟ UNION SELECT username, password from user_info where user_name=‟abc‟- -]
into the login field, which produces the following query:
SELECT * FROM users WHERE login=’’ UNION SELECT password from user_info where
user_name=’abc’-- AND pass=’’
Assuming that there is no login equal to ”, the original first query returns the null set, whereas
the second query returns data from the “user_info” table. In this case, the database would return
column “password” for username “abc.” The database takes the results of these two queries,
unions them, and returns them to the application. In many applications, the effect of this
operation is that the value for “password” is displayed along with the user information.
Piggy-backed Query: In this attack type, an attacker tries to inject additional queries into the
original query. We distinguish this type from others because, in this case, attackers are not
trying to modify the original intended query; instead, they are trying to include new and distinct
queries that “piggy-back” on the original query. As a result, the database receives multiple SQL
queries. The first is the intended query which is executed as normal; the subsequent ones are
the injected queries, which are executed in addition to the first. This type of attack can be
extremely harmful. If successful, attackers can insert virtually any type of SQL command,
including stored procedures,1 into the additional queries and have them executed along with
the original query. Vulnerability to this type of attack is often dependent on having a database
configuration that allows multiple statements to be contained in a single string.
Example: If the attacker inputs [‟; drop table users - -] into the password field, the application
generates the query:
SELECT accounts FROM users WHERE login=’doe’ AND pass=’’; drop table users -- ’
After completing the first query, the database would recognize the query delimiter (“;”) and
execute the injected second query. The result of executing the second query would be to drop
table users, which would likely destroy valuable information. Other types of queries could
insert new users into the database or execute stored procedures. Note that many databases do
not require a special character to separate distinct queries, so simply scanning for a query
separator is not an effective way to prevent this type of attack.
17
System Stored Procedure: SQLIAs of this type try to execute stored procedures present in
the database. Today, most database vendors ship databases with a standard set of stored
procedures that extend the functionality of the database and allow for interaction with the
operating system. Therefore, once an attacker determines which backend database is in use,
SQLIAs can be crafted to execute stored procedures provided by that specific database,
including procedures that interact with the operating system. It is a common misconception
that using stored procedures to write Web applications renders them invulnerable to SQLIAs.
Developers are often surprised to find that their stored procedures can be just as vulnerable to
attacks as their normal applications. Additionally, because stored procedures are often written
in special scripting languages, they can contain other types of vulnerabilities, such as buffer
overflows, that allow attackers to run arbitrary code on the server or escalate their privileges.
Example: consider this stored procedure
CREATE PROCEDURE DBO.is Authenticated
@userName varchar2, @pass varchar2, @pin int
AS
EXEC("SELECT accounts FROM users
WHERE login=’" +@userName+ "’ and pass=’" +@password+ "’ and pin=" +@pin);
GO
This example demonstrates how a parameterized stored procedure can be exploited via an
SQLIA. In the example, we assume that the query string constructed in this example has been
replaced by a call to the stored procedure defined above. The stored procedure returns a
true/false value to indicate whether the user’s credentials authenticated correctly. To launch an
SQLIA, the attacker simply injects [ ‟ ; SHUTDOWN; --] into either the user Name or
password fields. This injection causes the stored procedure to generate the following query:
SELECT accounts FROM users WHERE login=’doe’ AND pass=’ ’;
SHUTDOWN; --
At this point, this attack works like a piggy-back attack. The first query is executed normally,
and then the second, malicious query is executed, which results in a database shut down.
18
Inference: In this attack, the query is modified to recast it in the form of an action that is
executed based on the answer to a true/false question about data values in the database. In this
type of injection, attackers are generally trying to attack a site that has been secured enough so
that, when an injection has succeeded, there is no usable feedback via database error messages.
Since database error messages are unavailable to provide the attacker with feedback, attackers
must use a different method of obtaining a response from the database. In this situation, the
attacker injects commands into the site and then observes how the function/response of the
website changes. By carefully noting when the site behaves the same and when its behavior
changes, the attacker can deduce not only whether certain parameters are vulnerable, but also
additional information about the values in the database. There are two well-known attack
techniques that are based on inference. They allow an attacker to extract data from a database
and detect vulnerable parameters.
Blind Injection: In this technique, the information must be inferred from the behavior
of the page by asking the server true/false questions. If the injected statement evaluates
to true, the site continues to function normally. If the statement evaluates to false,
although there is no descriptive error message, the page differs significantly from the
normally-functioning
Timing Attacks: A timing attack allows an attacker to gain information from a
database by observing timing delays in the response of the database. This attack is very
similar to blind injection, but uses a different method of inference. To perform a timing
attack, attackers structure their injected query in the form of an if-then statement, whose
branch predicate corresponds to an unknown about the contents of the database. Along
one of the branches, the attacker uses a SQL construct that takes a known amount of
time to execute, (e.g. the WAITFOR keyword, which causes the database to delay its
response by a specified time). By measuring the increase or decrease in response time
of the database, the attacker can infer which branch was taken in his injection and
therefore the answer to the injected question.
Example: Using the code from our running example, we illustrate two ways in which
Inference based attacks can be used. The first of these is identifying inject-able parameters
using blind injection. Consider two possible injections into the login field. The first being
[ legalUser‟ and 1=0 - - ] and the second, [ legalUser‟ and 1=1 - - ].
19
These injections result in the following two queries:
SELECT accounts FROM users WHERE login=’legalUser’ and 1=0 -- ’ AND pass=’’
SELECT accounts FROM users WHERE login=’legalUser’ and 1=1 -- ’ AND pass=’’
Now, let us consider two scenarios. In the first scenario, we have a secure application, and the
input for login is validated correctly. In this case, both injections would return login error
messages, and the attacker would know that the login parameter is not vulnerable. In the second
scenario, we have an insecure application and the login parameter is vulnerable to injection.
The attacker submits the first injection and, because it always evaluates to false, the application
returns a login error message. At this point however, the attacker does not know if this is
because the application validated the input correctly and blocked the attack attempt or because
the attack itself caused the login error. The attacker then submits the second query, which
always evaluates to true. If in this case there is no login error message, then the attacker knows
that the attack went through and that the login parameter is vulnerable to injection.
The second way inference based attacks can be used is to perform data extraction. Here we
illustrate how to use timing based inference attack to extract a table name from the database.
In this attack, the following is injected into the login parameter:
[ „legalUser‟ and ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X
WAITFOR 5 --‟ ].
This produces the following query:
SELECT accounts FROM users WHERE login=’legalUser’ and
ASCII(SUBSTRING((select top 1 name from sysobjects),1,1)) > X WAITFOR 5 -- ’ AND
pass=’’
In this attack the SUBSTRING function is used to extract the first character of the first table‟s
name. Using a binary search strategy, the attacker can then ask a series of questions about this
character. In this case, the attacker is asking if the ASCII value of the character is greater-than
or less-than-or-equal-to the value of X. If the value is greater, the attacker knows this by
observing an additional 5 second delay in the response of the database. The attacker can then
use a binary search by varying the value of X to identify the value of the first character.
20
Alternate Encodings: In this attack, the injected text is modified so as to avoid detection by
defensive coding practices and also many automated prevention techniques. This attack type is
used in conjunction with other attacks. In other words, alternate encodings do not provide any
unique way to attack an application; they are simply an enabling technique that allows attackers
to evade detection and prevention techniques and exploit vulnerabilities that might not
otherwise be exploitable. These evasion techniques are often necessary because a common
defensive coding practice is to scan for certain known “bad characters,” such as single quotes
and comment
To evade this defense, attackers have employed alternate methods of encoding their attack
strings (e.g., using hexadecimal, ASCII, and Unicode character encoding). Common scanning
and detection techniques do not try to evaluate all specially encoded strings, thus allowing these
attacks to go undetected. Contributing to the problem is that different layers in an application
have different ways of handling alternate encodings. The application may scan for certain types
of escape characters that represent alternate encodings in its language domain. Another layer
(e.g., the database) may use different escape characters or even completely different ways of
encoding. For example, a database could use the expression char(120) to represent an
alternately-encoded character “x”, but char(120) has no special meaning in the application
language‟s context. An effective code-based defense against alternate encodings is difficult to
implement in practice because it requires developers to consider of all of the possible encodings
that could affect a given query string as it passes through the different application layers.
Therefore, attackers have been very successful in using alternate encodings to conceal their
attack strings.
Example: Because every type of attack could be represented using an alternate encoding, here
we simply provide an example of how esoteric an alternatively-encoded attack could appear.
In this attack, the following text is injected into the login field:
[ legalUser‟; exec(0x73687574646f776e) - - ”.
The resulting query generated by the application is:
SELECT accounts FROM users WHERE login=’legalUser’;
exec(char(0x73687574646f776e)) -- AND pass=’’
This example makes use of the char() function and of ASCII hexadecimal encoding.
21
The char() function takes as a parameter an integer or hexadecimal encoding of a character and
returns an instance of that character. The stream of numbers in the second part of the injection
is the ASCII hexadecimal encoding of the string “SHUTDOWN.” Therefore, when the query
is interpreted by the database, it would result in the execution, by the database, of the
SHUTDOWN command.
There is also various types of evasion techniques such as sophisticated matches, hex coding,
dropping white space, break words in the middle, parameterized query, system stored
procedure reduction etc.
5. Related Works
Although developers deploy defensive coding or OS hardening but they are not enough to stop
SQLIAs to web applications so researchers have proposed some of techniques to assist
developers.
Huang and colleagues [18] propose WAVES, a black-box technique for testing web
applications for SQL injection vulnerabilities. The tool identify all points a web application
that can be used to inject SQLIAs. It builds attacks that target these points and monitors the
application how response to the attacks by utilize machine learning.
JDBC-Checker [12, 13] was not developed with the intent of detecting and preventing general
SQLIAs, but can be used to prevent attacks that take advantage of type mismatches in a
dynamically-generated query string. As most of the SQLIAs consist of syntactically and type
correct queries so this technique would not catch more general forms of these attacks.
Wassermann and Su propose Taoutology Cheker [23] that uses static analysis to stop tautology
attack. The important limitation of this technique is that its scope is limited to tautology and
cannot detect or prevent other types of attacks.
Xiang Fu and Kai Qian [28] proposed the design of a static analysis framework, called SAFELI
for identifying SQLIA vulnerabilities at compile time. SAFELI statically monitor the MSIL
(Microsoft Symbolic intermediate language) byte code of an ASP.NET Web application, using
symbolic execution. SAFELI can analyze the source code and will be able to identify delicate
vulnerabilities that cannot be discovered by black-box vulnerability scanners.
22
CANDID [2, 7] modifies web applications written in Java through a program transformation.
This tool dynamically mines the programmer-intended query structure on any input and detects
attacks by comparing it against the structure of the actual query issued. CANDID’s natural and
simple approach turns out to be very powerful for detection of SQL injection attacks.
In SQL Guard [10] and SQL Check [5] queries are checked at runtime based on a model which
is expressed as a grammar that only accepts legal queries. SQL Guard examines the structure
of the query before and after the addition of user-input based on the model. In SQL Check, the
model is specified independently by the developer. Both approaches use a secret key to delimit
user input during parsing by the runtime checker, so security of the approach is dependent on
attackers not being able to discover the key. In two approaches developer should to modify
code to use a special intermediate library or manually insert special markers into the code where
user input is added to a dynamically generated query.
Another approach in this category is SQL-IDS [8] which focus on writing specifications for
the web application that describe the intended structure of SQL statements that are produced
by the application, and in automatically monitoring the execution of these SQL statements for
violations with respect to these specifications.
A proxy filtering system that intensifies input validation rules on the data flowing to a Web
application is called Security Gateway [26]. In this technique for transferring parameters from
webpage to application server, developers should use Security Policy Descriptor Language
(SPDL). So developer should know which data should be filtered and also what patterns should
apply to the data.
In SQLrand [22] instead of normal SQL keywords developers create queries using randomized
instructions. In this approach a proxy filter intercepts queries to the database and de-randomizes
the keywords. By using the randomized instruction set, attacker’s injected code could not have
been constructed. As it uses a secret key to modify instructions, security of the approach is
dependent on attacker ability to seize the key. It requires the integration of a proxy for the
database in the system same as developer training.
23
6. AMNESIA (Analysis and Monitoring for NEutralizing SQL-Injection
Attacks)
AMNESIA is a general technique that addresses all types of SQLIAs as defined previously.
The approach works by combining static analysis and runtime monitoring. The key intuition
behind the approach is that (1) the source code contains enough information to infer models of
the expected, legitimate SQL queries generated by the application, and (2) an SQLIA, by
injecting additional SQL statements into a query, would violate such a model.
In its static part, this technique uses program analysis to automatically build a model of the
legitimate queries that could be generated by the application. In its dynamic part, this technique
monitors the dynamically generated queries at runtime and checks them for compliance with
the statically-generated model. Queries that violate the model represent potential SQLIAs and
are thus prevented from executing on the database and reported. The technique consists of four
main steps.
i) Identify Hotspot
ii) Build SQL-query models
iii) Instrument Application
iv) Runtime Monitoring
6.1 Identify Hotspots
This step performs a simple scanning of the application code to identify hotspots. For the
example servlet in Figure 1, the set of hotspots would contain a single element: the statement
at line 10. (In Java-based applications, interactions with the database occur through calls to
specific methods in the JDBC library, such as
java.sql.Statement.execute(String).
24
Figure:1 Example servlet
6.2. Build SQL-Query Models
In this step build the SQL-query model for each hotspot identified in the previous step. Within
each hotspot, it is interested in computing the possible values of the query string passed to the
database. To do this, we use the Java String Analysis (JSA) library. This technique constructs
a flow graph that abstracts away the control flow of the program and represents string-
manipulation operations performed on string variables. For each string of interest the technique
analyzes the flow graph and simulates the string manipulation operations that are performed
on the string. The result of the analysis is a Non-Deterministic Finite Automaton (NDFA) that
expresses, at the character level, all the possible values the considered string can assume. The
string analysis is conservative, so the NDFA for a string is an overestimate of all the possible
values of the string.
It is worth noting that the JSA [5] technique generates Deterministic Finite Automata (DFAs),
obtained by transforming each NDFA into a corresponding DFA. However, the transformation
to DFAs increases the number of states and transitions in the graph and introduces cycles that
public class Show extends HttpServlet {
...
1. public ResultSet getUserInfo(String login,
String password) {
2. Connection conn = DriverManager.getConnection("MyDB");
3. Statement stmt = conn.createStatement();
4. String queryString = "";
5. queryString = "SELECT info FROM userTable WHERE ";
6. if ((! login.equals("")) && (! password.equals(""))) {
7. queryString += "login=’" + login +
"’ AND pass=’" + password + "’";
}
8. else {
9. queryString+="login=’guest’";
}
10. ResultSet tempSet = stmt.execute(queryString);
11. return tempSet;
}
...
}
25
complicate the construction of our SQL-query model. Therefore, AMNESIA use their
technique but skip its last step.
To build our SQL-query model for a given hotspot, it uses the following process. It performs a
depth first traversal of the NDFA for the hotspot and group characters as either SQL keywords,
operators, or literal values and create a transition in the SQL-query model that is annotated
with their literal value. For example, a sequence of transitions labeled ’S’, ’E’, ’L’, ’E’, ’C’,
and ’T’ would be recognized as the SQL SELECT keyword and suitably grouped into a single
transition labeled “SELECT”. Because there are several SQL dialects each with their own set
of keywords and operators, this part of the technique can be customized to recognize different
dialects. We represent variable strings (i.e., strings that correspond to a variable related to some
user input) using the symbol β (e.g., in this example the value of the variable password is
represented as β). AMNESIA performs it on NDFAs instead of DFAs.
Figure 3 shows the SQL-query model for the single hotspot in our example. The model reflects
the two different query strings that can be generated by the code depending on the branch
followed after the ‘if ‘ statement at line 6 (Figure 1).
6.3 Instrument Application:
In this step, we instrument the application by adding calls to the monitor that check the queries
at runtime. For each hotspot, the technique inserts a call to the monitor before the call to the
database. The monitor is invoked with two parameters: the string that contains the actual query
about to be submitted and a unique identifier for the hotspot. Using the unique identifier, the
runtime monitor is able to correlate the hotspot with the specific SQL-query model that was
statically generated for that point and check the query against the correct model.
Figure 4 shows how the example application would be instrumented by our technique. The
hotspot, originally at line 10 in Figure 1, is now guarded by a call to the monitor at line 10a.
26
Figure: 2 Example of hotspot after instrumentation
6.4 Runtime Monitoring
At runtime, the application executes normally until it reaches a hotspot. At this point, the string
that is about to be submitted as a query is sent to the runtime monitor. The monitor parses the
query string into a sequence of tokens according to the specific SQL syntax considered. Tokens
in the query that represent string or numeric constants can match any transition in the SQL-
query model labeled with β. Note that, in this parsing of the query string, the parser identifies
empty string constants by their syntactic position and we denote these in the parsed query string
using ", the common symbol for the empty string.
...
10a. if (monitor.accepts (<hotspot ID>,queryString))
{
10b. ResultSet tempSet = stmt.execute(queryString);
11. return tempSet;
}
...
Figure 3
27
Figure 3 shows how the two queries
SELECT info FROM users WHERE login=’guest’
SELECT info FROM users WHERE login=’doe’ AND pass=’xyz’
would be parsed during runtime monitoring. It is important to point out that our technique
parses the query string the same way that the database would, according to the specific SQL
grammar considered. In other words, it does not do a simple keyword matching over the query
string, which would cause false positives and problems with user input that happened to match
SQL keywords. For example, a user-submitted string that contains SQL keywords but is
syntactically a text field, would be correctly recognized as a text field. However, if the user
were to inject special characters, as in our example, to force part of the text to be evaluated as
a keyword, the parser would correctly interpret this input as a keyword. Using the same parser
as the database is important because it guarantees that we are interpreting the query the same
way that the database will. After the query has been parsed, the runtime monitor checks it by
assessing whether the query violates the SQL-query model associated with the hotspot from
which the monitor has been called.
An SQL-query model is an NDFA whose alphabet consists of SQL keywords, operators, literal
values, and delimiters, plus the special symbol _. Therefore, to check whether a query is
compliant with the model, the runtime monitor can simply check whether the model (i.e., the
automaton) accepts the query (i.e., whether a series of valid transitions reaches an accepting
state). Recall that a string constant (including ") or numeric constant in the parsed query string
can match either _ or an identical literal value in the SQL-query model.
If the model accepts the query, then the monitor lets the execution of the query continue.
Otherwise, the monitor identifies the query as an SQLIA. In this case, the monitor prevents the
query from executing on the database and reports the attack.
28
Figure : 5 high-level overview of AMNESIA
Efficiency
In terms of efficiency, this approach requires the execution of the monitor for each database
query. Since we check the query against the SQL-query model, which is an NDFA, the worst
case complexity is exponential in the size of the automaton, which in the worst case is quadratic
in the size of the program. However, the visit of the NDFA is typically linear because the
automata generated by the analysis are usually trees. Also, the automata are linear for typical
programs—the case of a quadratic size corresponds to an application that modifies the query
string and branches in each line of the program. In fact, most automata are actually quite small
with respect to the size of the corresponding application. In practice, considered that the
monitor just checks a typically short set of tokens against an NDFA, whereas database queries
normally involve interactions over a network, we expect the overhead for the monitoring to be
negligible. This intuition is confirmed by our empirical evaluation.
29
7 Conclusion and Future Work
AMNESIA is a fully automated technique for detecting, preventing, and reporting SQL
Injection Attacks (SQLIAs). The technique is based on the intuition that the web-application
code implicitly contains a “policy” that allows for distinguishing legitimate and malicious
queries. To extract and check this policy, the technique combines static and dynamic analysis.
In the static phase, the technique uses an existing string analysis to extract from the web-
application’s code a model of all the query strings that could be generated by the application.
In the dynamic phase, the technique monitors dynamically-created queries for conformance
with the statically-built model. Queries that are not compliant with the model are identified as
SQLIAs, blocked, and relevant information is reported to developers and administrators.
This technique is mostly interested in SQL keywords and operators, and the strings
representing them are typically constant strings that are rarely manipulated in the application.
Therefore, it is possible to use a simplified string analysis to extract the SQL-query models that
the monitoring technique needs directly from a suitable representation of the code.
The primary limitation of this tool is that its success is dependent on the accuracy of its static
analysis for building query models. So in future this limitation can be eliminated. Finally, it is
investigated that, combined static and dynamic approaches for building models to handle cases
in which the static analysis can be successfully applied on only a subset of the application.
References
http://en.wikipedia.org/wiki/SQL_injection
http://www.w3schools.com/sql/sql_injection.asp
www.cc.gatech.edu/home/orso/papers/halfond.orso.ICSEDEMO06.pdf by WGJ
Halfond AMNESIA is a tool that detect and prevent SQL injection
Evaluation of sql injection detection and prevention techniques A Tajpour - … Systems
and Networks (CICSyN), 2010 Second …, 2010 - ieeexplore.ieee.org
S. Christensen, A. Møller, and M. I. Schwartzbach. Precise Analysis of String
Expressions. In Proceedings of the 10th International Static Analysis Symposium, SAS
03, volume 2694 of LNCS, pages 1–18. Springer-Verlag, June 2003.
W. G. Halfond, J. Viegas and A. Orso, “A Classification of SQL Injection Attacks and
Countermeasures,” College of Computing Georgia Institute of Technology IEEE, 2006.