Vulnerability disclosure model like full disclosure expect ….
expect all stakeholders agree to allow a period of time for the vulnerability to be patched
SQL Injection – What is it?
Inputs to the application that interact with a
backend database directly can be vulnerable to
SQL injection
SQLi – What can you do?
The attack targets the system and can lead to the
following;
- Circumvent access controls
- Modify data (insert/update/delete)
- Read sensitive data
- Read file on the DBMS file system e.g., /etc/passwd
- Execute administration operations on the DB
- Execute OS Commands
Detection Techniques
- Find out where the application interacts with the backend DB e.g. Authentication forms, Search Functions, E-Commerce Functions
- Make a list of all input fields:
- including the hidden fields
- Consider HTTP headers and Cookies
Fingerprinting the DB (two methods)
First method is to observe the error returned by the DB where each DB will throw a different error message
Second method can be used in the case of:
- No error message
- Custom error message
3 SQL Injection Classes
- Inband: data is extracted using the same channel that is used to inject the SQL code. This is the most straightforward kind of attack, in which the
retrieved data is presented directly in the application web page. - Out-of-band: data is retrieved using a different channel (e.g., an email with the results of the query is generated and sent to the tester).
- Blind: there is no actual transfer of data, but the tester is able to reconstruct the information by sending particular requests and observing the resulting behaviour of the DB Server.
When trying to exploit an SQL Injection there are two
outcomes for the attacker:
- The application returns an error message generated by an incorrect query (makes it easier for the attacker to reconstruct the logic)
- The application hides the error details, then the tester must be able to reverse engineer the logic of the original query.
3 SQLi Techniques
- Union Technique: can be used when the SQL injection flaw happens in a SELECT statement, making it possible to combine two queries into a single result or result set.
- Boolean Technique: use Boolean condition(s) to verify whether certain conditions are true or false. (useful in blind SQLi)
- Time delay technique: use database commands (e.g. sleep) to delay answers in conditional queries. It is useful when attacker doesn’t have some kind of answer (result, output, or error) from the
application. (appropriate for blind SQLi)
Union technique can be used to find out …
- Find the right number of columns in the SELECT statement
2. Find out column type
Other SQLi Techniques
- Error based technique: Force DB to run a command when it’s throwing an error. Exploitation is different from DB to DB
- Out of band technique
- Used in blind SQL injection situations
- Force the DB to perform an “out-of-band” connection and deliver the results of the injection to a server an attacker owns
- e.g. an email, a HTTP connection
SQL Injection Mitigation
There are several options and each one should be
considered for each vulnerability. Applications differ
greatly and one technique may not be suitable for all
- Parameterised Queries
- Stored Procedures
- Escaping User Supplied Input
Parameterised Queries
only allows for the correct data type to be inputted
Other SQLi defences
- Whitelist input validation
- Escaping User Supplied Input
- Avoid detailed error messages
- Enforce least privilege
