What is SQL Injection?

Few days ago my relative Mr.Sanket Bhatt and me were talking about web security as he is a web designer, he is the person where he have to take care about the security. We start to talk about flaw in Sql injecton as he also develope web applications. So, at that time I thought to write an artical about sql injection. So read on to check out how an attacker can find weakness and how to get protected..

Defination

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.

Such features as login pages, support and product request forms, feedback forms, search pages, shopping carts and the general delivery of dynamic content, shape modern websites and provide businesses with the means necessary to communicate with prospects and customers. These website features are all examples of web applications which may be either purchased off-the-shelf or developed as bespoke programs.
These website features are all susceptible to SQL Injection attacks.

A Simple Example

Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.

When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.

Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.

The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.

An Example of Attack

Here is a sample basic HTML form with two inputs, login and password.

The easiest way for the login.asp to work is by building a database query that looks like this:

SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password’

If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x

SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'

As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two-component clause.

The 'x'='x' part guarantees to be true regardless of what the first part contains.

This will allow the attacker to bypass the login form without actually knowing a valid username / password combination!

Are you at risk?

According to the Web Application Security Consortium (WASC) 9% of the total hacking incidents reported in the media until 27th July 2006 were due to SQL Injection. More recent data from our own research shows that about 50% of the websites we have scanned this year are susceptible to SQL Injection vulnerabilities.

It may be difficult to answer the question whether your web site and web applications are vulnerable to SQL Injection especially if you are not a programmer or you are not the person who has coded your web applications.

Our experience leads us to believe that there is a significant chance that your data is already at risk from SQL Injection.

Whether an attacker is able to see the data stored on the database or not, really depends on how your website is coded to display the results of the queries sent. What is certain is that the attacker will be able to execute arbitrary SQL Commands on the vulnerable system, either to compromise it or else to obtain information.

If improperly coded, then you run the risk of having your customer and company data compromised.

What an attacker gains access to also depends on the level of security set by the database. The database could be set to restrict to certain commands only. A read access normally is enabled for use by web application back ends.

Even if an attacker is not able to modify the system, he would still be able to read valuable information.

How to Prevent from SQL Injection?

"You keep seeing the same issues come up over and over again for many years now," says Alex Rothacker, manager of Team SHATTER, Application Security Inc.'s research arm. "Even with this Apple attack, they used a little bit more advanced attacks, but still it's stuff that's been talked about at Black Hat for two years now."


1.Never Trust Input
Rothacker says. "Make sure that the data that people input into your website is exactly the data you're looking for, so if you're asking for a social security number, you want to make sure it is actually a social security number and there are no letters in there," he says.


2.Implement filtering and monitoring tools.
Rothacker says. "Database activity monitoring is a really great tool against SQL injections," he explains. "For known injection attacks, there's always filters out there that will help alert the DBAs that something bad is going on and there's also some pretty generic filters that look for things that are very typical in SQL injections -- things like an uneven number of quotes that break up the SQL code and stuff like that."


3.Craft error messages carefully.
"[Organizations should] configure the Web and database servers to not output error or warning messages," warns Neil Daswani, co-founder and CTO of Dasient. "Attackers can use such messages to learn about your database schema using techniques such as 'blind SQL injection.'"


4.Patch and harden databases.
"Keep your databases patched, and also your Web applications and Web services while you're at it," says Rothacker. "I think that should be a no-brainer."

Additionally, don't forget about how your databases are configured. "Harden the database and the operating system of the machine it is running on by disabling unnecessary services and functionality," says Dasient's Daswani.


5.Limit database privileges.
"You definitely want to run all of these accounts that serve as a Web account that have access to the back-end database at really low privileges so that they can really only access the data that they're supposed to access," Rothacker says. "You want to make sure they don't have any rights to make changes on the database."