Technology White Paper of SQL Injection Attacks and Prevention

Size: px

Start display at page:

Download "Technology White Paper of SQL Injection Attacks and Prevention"

Sharon Turner
5 years ago
Views:

1 Technology White Paper of SQL Injection Attacks and Prevention Keywords: SQL injection, SQL statement, feature identification Abstract: SQL injection attacks are common attacks that exploit database vulnerabilities. This document exemplifies the working mechanism and methods of SQL injection attacks, and describes the solutions provided by H3C security products to preventing such vulnerabilities. Acronyms: Acronym Full spelling SQL IPS URL Structured Query Language Intrusion Prevention System Uniform Resource Locator Hangzhou H3C Technologies Co., Ltd. 1/11

2 Table of Contents Introduction to SQL Injection Attacks 3 Overview 3 Mechanism 3 Example 4 Harms of SQL Injection Attacks 7 SQL Injection Attack Prevention Through IPS Devices 7 SQL Injection Prevention Framework of IPS Devices 7 Advantages of the SQL Injection Prevention Framework of IPS Devices 9 Application Scenarios 10 Hangzhou H3C Technologies Co., Ltd. 2/11

3 Introduction to SQL Injection Attacks Overview Structured Query Language (SQL) is a text-based language for interacting with relational databases. SQL allows users to manage data effectively through data query, operation, definition, and control. For example, users can write data to databases, insert data into databases, and retrieve data from databases. Relational databases are widely used in websites. Users generally interact with databases through dynamic Web pages. Users access common dynamic Web pages by visiting parameterized URLs, in the format Dynamic pages can be.asp,.php,.jsp, or perl Web pages. A dynamic Web page has one or more parameters, whose type can be integer or character string. Website application programs (dynamic Web pages) with poor security allow attackers to construct and submit malicious URLs, insert specially-constructed SQL statements into submitted parameters, intercept information from the interaction with relational databases, or directly temper Web data. Such attacks are known as SQL injection attacks. Mechanism An SQL injection attack works by crafting SQL states which are combined with the contents submitted by Web pages. Techniques commonly used by SQL attacks include comment symbols, identical equations (such as 1 = 1), union queries by using the union statement, and inserting or modifying data by using the insert or update statement. In addition, SQL injection attacks use some built-in functions, for example, using the phpinfo function to display basic information and the char function to avoid single quotes. The following exemplifies several simple methods of statement construction. Generally, relational databases store data in tables. Assume that a table named user exists. The table has four columns: id, username, pwd, and level, which indicate user IDs, user names, passwords, and privilege levels. Table 1 lists several simple methods of constructing injected statements. Strings such as $username and $password are variable names. Table 1 Methods of constructing injected statements Statement Normal statement: SELECT * FROM user WHERE username = '$username' AND pwd = '$password' Injected statement: SELECT * FROM user WHERE username = 'tom'/*' AND pwd = '' Remarks The contents following AND pwd = '' are ignored because they are considered as comments by the preceding /*, which is used in SQL to precede comments. This allows an attacker to log in without submitting a password. Hangzhou H3C Technologies Co., Ltd. 3/11

4 Statement Normal statement: SELECT * FROM user WHERE username = '$username' AND pwd = '$password' Injected statement: SELECT * FROM user WHERE username = 'tom' AND pwd = '' or '1=1' Normal statement: UPDATE user SET pwd = '$password' WHERE username = '$username' Injected statement: UPDATE user SET pwd = 'abcd',level='3' WHERE username = 'tom' Normal statement: SELECT * FROM user WHERE username = '$username' Injected statement: SELECT * FROM user WHERE username = 'tom' AND LEFT(pwd,1)='l' Normal statement: SELECT * FROM user WHERE username = '$username' AND pwd = '$password' Injected statement: SELECT * FROM user WHERE username = 'tom' into outfile 'd:/http root/file001.txt'/*' AND pwd = '' Normal statement: INSERT INTO user VALUES('$id', '$username', '$password', '1') Injected statement: INSERT INTO user VALUES('10', 'tom', 'password','3')/*', '1') Remarks In the injected statement, identical equation 1 = 1 is used for logic judgment. Thus, this statement is executed successfully even if pwd is judged as false, allowing the attacker to log in without a password. In the injected statement, the attacker adds single quotes following pwd and the subsequent WHERR statement to change the password and change the level to 3 to become a user with the highest privilege level. In the injected statement, built-in functions are used to judge the character in a position of a string. If the judgment succeeds, the user ID is displayed. Such attempts are repeated until the actual password is obtained. The injected statement retrieves the file in the inserted path. The file contains the information on user tom. In the injected statement, user tom is inserted, whose ID is 10 and whose privilege level is set to 3, namely, the highest level. Such attacks are used to register users with high privilege levels by exploiting security vulnerabilities. Example The following describes an SQL injection attack and its hazards by using an actual network as an example. Figure 1 shows a page of an open-source alumni website. Normally, when a user selects a year from the drop-down list on this page, the page displays the information on the graduates of that year. In this example, the URL in the address bar of the Web page is: Hangzhou H3C Technologies Co., Ltd. 4/11

Figure 1 Web page of an open-source alumni website with security vulnerabilities Actually, the codes processing years fail to filter the data submitted by the user.

5 Figure 1 Web page of an open-source alumni website with security vulnerabilities Actually, the codes processing years fail to filter the data submitted by the user. This is a vulnerability that an SQL attack can exploit. By submitting specially-constructed SQL statements to the Web page, the attacker makes the Web page display related contents from internal databases. Assume that the attacker submits a URL containing an SQL statement in the address bar of the Web page. When executing the statement, the codes do not judge the submitted contents properly. This causes the SQL injection attack to succeed. Assume that the following statement is submitted: ame,1,alumnipassword,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20alumni_users%20where%20id='1 Table 2 explains the URL contents in detail. Table 2 Description of the URL contents Contents Remarks This is the normal URL. view&year=2005 year=2005 is executed as an SQL statement query condition in the codes. The format is similar to select * from table where year=2005. Hangzhou H3C Technologies Co., Ltd. 5/11

6 Contents Remarks This is added by the attacker. union select%201,1,1,alumniusername,1,alumnipass word,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20alum ni_users%20where%20id='1 This allows the entire added contents are executed normally without generating any errors in server databases. This is added by the attacker. These contents are used to retrieve the password from table alumni_users and display it. %20 Space Normally, the returned page displays the alumni names and related information. In this example, however, because the password is used as the selection column of the select statement, the returned page displays the password of the user. Figure 2 shows the page returned after the attacking statement is submitted. Figure 2 Displayed Web page attacked by an SQL injection As shown in Figure 2, besides user names and addresses, the user's page displays the password, which was encrypted. Actually, if the attacker changes 1 in the injected statement to the corresponding column names, the Web page displays the contents of other columns in the table, exposing more private information. Hangzhou H3C Technologies Co., Ltd. 6/11

7 Harms of SQL Injection Attacks Technology White Paper of SQL Injection Attacks and Prevention As mentioned above, a parameterized dynamic Web page on which a database is accessed is susceptible to SQL injection attacks. Therefore, SQL injection attacks are much more likely to happen than other Web attacks and cause more widespread harms. Such harms include obtaining the system control right, operating databases without authorization, tempering Web page contents, and adding system accounts or database user accounts. Nowadays, there are more and more database-based network applications. Meanwhile, the software used to search for SQL injection ports is so easily available on the Internet that even a novice attacker can use such software to search for victims and attack them. As the numbers of attack targets and attackers increase, there have been more and more SQL injection attacks in recent years. SQL Injection Attack Prevention Through IPS Devices SQL Injection Prevention Framework of IPS Devices Hangzhou H3C Technologies Co., Ltd. (hereinafter referred to as H3C) analyzes SQL injection attacks and finds that SQL injection attacks a Web page in the following ways: By using common SQL injection statements. Exploiting the characteristics of Web background databases. Using SQL injection scanners. In view of this, H3C has developed a complete set of SQL injection attack prevention framework that allows for timely detection of known and potential SQL injection attacks. Figure 3 shows the general SQL injection attack prevention framework using H3C intrusion prevention system (IPS) devices. Hangzhou H3C Technologies Co., Ltd. 7/11

8 Figure 3 SQL injection attack prevention framework Technology White Paper of SQL Injection Attacks and Prevention Processing on the device Network traffic Pre-processing Perform feature matching Traffic not processed Not matching the SQL injection attack model IPS feature library Matching the SQL injection attack model Block the traffic Report the attack Technical reserve Attack and prevention tests in a lab Generalized and layered SQL injection attack model Analyze the SQL language Analyze database features Analyze common scanners used for the attacks Analyze actual SQL injection attack methods An H3C IPS device identifies attacks through feature identification and blocks the attacks. The IPS device has a complete feature library and upgrades the feature library periodically. When network traffic enters the IPS device, the device checks whether the traffic matches the attack features of the current feature library. If yes, the device blocks the network traffic and report the attack; otherwise, the device allows the network traffic to pass. Based on the characteristics of SQL injection attacks, the H3C IPS feature library can identify SQL injection attack features in the following ways: Identifying abnormal fields in SQL statements based on SQL statement characteristics SQL injection attackers generally add abnormal fields, such as and 1=1, to URLs. By identifying these abnormal fields, the H3C IPS feature library checks whether the website has any SQL injection vulnerabilities and obtains database information. Identifying abnormal fields in background databases based on background database characteristics Websites today mainly use MS-SQL, Access, MySQL, and Oracle databases. Each database has system base tables that store the information for the database. Some databases provide additional functions that may be exploited by SQL injections. For example, in an MS-SQL database, system commands can be executed; the database information of a MySQL database can be exported to a file, the database information of an Oracle database can be reflected to any listening port. After in-depth analysis of above-mentioned databases and based on respective database characteristics, the H3C IPS feature library extracts the abnormal fields from URLs to ensure that attacks cannot launch SQL injection attacks by exploiting the features provided by databases. Hangzhou H3C Technologies Co., Ltd. 8/11

9 Analyzing SQL injection scanners and blocking attack probes from SQL injection scanners In actual attacks, attackers usually perform automatic scans of websites by using SQL injection scanners to probe for SQL injection vulnerabilities that can be exploited. After analyzing well-known SQL injection scanners, H3C has worked out the behaviors and methods of these scanners and blocks the website scanning probes from these scanners. Analyzing SQL injection vulnerabilities in actual networks Because website developers fail to strictly check input parameters, many SQL injection vulnerabilities exist in actual networks. Some major vulnerability release websites release large amounts of SQL injection vulnerabilities. By analyzing and summarizing these vulnerabilities, H3C IPS devices ensure that attackers cannot launch attacks through released SQL injection vulnerabilities. Advantages of the SQL Injection Prevention Framework of IPS Devices The SQL injection prevention framework of H3C IPS devices has the following advantages: A complete SQL injection detection model is constructed to accurately identify SQL injection attacks Considering SQL characteristics and the basic principles and patterns of known attacks, H3C has developed a universal and layered SQL injection attack detection model on different vulnerability models with different database types and SQL injection scanners and integrated the model to the feature library. Providing an abstraction of the general pattern of SQL injection attacks, these models accurately identify mainstream SQL injection attacks and construct a complete SQL injection detection model, making the model universal. H3C has simulated actual network environments, performed larges amounts of attack/prevention tests, and sorted out and verified the SQL injection vulnerability attacks released in recent years. H3C IPS devices can be used to identify and block all the released attacks. Flexible detection methods allow for accurate identification of transformed SQL injection attacks In actual attacks, to avoid being detected by an attack-prevention device, an SQL injection attack is often transformed through URL coding technologies and parameter modifications. H3C extends SQL injection attack features based on the SQL injection vulnerability principles, attack methods, and attack targets. Transformed attacks under the same vulnerability principles can also be blocked effectively even if the attacker modifies such contents as parameters, format, and statements. This expands the protection scope of the device, makes the prevention more flexible, and greatly reduces missing reports. Tracking of the latest vulnerabilities and technologies effectively prevents the latest attacks As SQL injection attacks become more and more frequent, harms are done in wider and wider scopes. This puts forth higher protection depth and breadth requirements on IPS devices. IPS devices need to Hangzhou H3C Technologies Co., Ltd. 9/11

10 not only guard against existing SQL injection attacks but also effectively block the latest, unreleased attacks. H3C has established a set of complete attack/prevention test environments to detect timely potential SQL injection vulnerabilities. Meanwhile, H3C keeps track of the latest SQL injection attack technologies and tools, timely updates the feature library of SQL injection attacks, and instantly releases the latest SQL injection prevention measures to ensure that users' networks are free of any SQL injection attacks. High-efficient operation of normal services is guaranteed Stable and efficient feature libraries provide powerful support for the prevention of SQL injection attacks. In actual deployment, H3C IPS devices analyze and identify network traffic. If any feature existing in the traffic matches an SQL injection attack prevention policy, the related traffic is blocked and a log is generated depending on the feature type and severity to provide the administrator with accurate attack information. If no feature in the traffic matches the attack model, the traffic is allowed to pass without affecting normal network services. This ensures high-efficient device operation while providing accurate protection. Application Scenarios Figure 4 shows a typical scenario of SQL injection attack prevention using H3C IPS devices. Figure 4 Network diagram for SQL injection attack prevention Generally, a website under attack consists of two parts: foreground application program and background database. A foreground application program is used to interact with users and databases. A background database is used to store data. Most SQL injection attacks directly interact with background databases to obtain information by exploiting the vulnerabilities in foreground application programs. Therefore, the IPS device needs to be deployed at the egress of the intranet of the website, namely, outside foreground application programs, to ensure database information security. Hangzhou H3C Technologies Co., Ltd. 10/11

11 Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of H3C Technologies Co., Ltd. This document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 11/11

SYN Flood Attack Protection Technology White Paper

SYN Flood Attack Protection Technology White Paper Flood Attack Protection Technology White Paper Flood Attack Protection Technology White Paper Keywords: flood, Cookie, Safe Reset Abstract: This document describes the technologies and measures provided