Tautology based Advanced SQL Injection Technique A Peril to Web Application

Similar documents
International Journal Of Computer Architecture And Mobility (ISSN ) Volume 1-Issue 3, January Phishing attack Generalization

ANALYSIS OF VARIOUS LEVELS OF PENETRATION BY SQL INJECTION TECHNIQUE THROUGH DVWA

Understanding Advanced Blind SQLI attack

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

SQL Injection Attack & Its Prevention

Detecting Insider Attacks on Databases using Blockchains

Web Security Vulnerabilities: Challenges and Solutions

CSE 565 Computer Security Fall 2018

Door Automation Security System Using OTP

Mechanisms for Database Intrusion Detection and Response. Michael Sintim - Koree SE 521 March 6, 2013.

ACS-3921/ Computer Security And Privacy. Chapter 5 Database and Data Centre Security

Binary Protector: Intrusion Detection in Multitier Web Applications

C1: Define Security Requirements

October, 2012 Vol 1 Issue 8 ISSN: (Online) Web Security

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Double Guard: Detecting intrusions in Multitier web applications with Security

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Secure Programming Lecture 8++: SQL Injection

Blind XPath Injection Attack: A Case Study

Chapter 5: Database Security

Multi-hashing for Protecting Web Applications from SQL Injection Attacks

An Intrusion Detection System for SQL Injection Attack on SaaS applications

Copyright

Detecting SQLIA using execution plans

Client-Side Detection of SQL Injection Attack

Real Application Security Administration

Research Article Improving Web Application Security Using Penetration Testing

Building A Secure & Anti-Theft Web Application By Detecting And Preventing Owasp Critical Attacks- A Review

HP 2012 Cyber Security Risk Report Overview

Secure Web Application: Preventing Application Injections

MATERIALS AND METHOD

Development of web applications using Google Technology

How to perform the DDoS Testing of Web Applications

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Injection attacks use specially crafted inputs to subvert the intended operation of applications.

A Security Admin's Survival Guide to the GDPR.

10 FOCUS AREAS FOR BREACH PREVENTION

Rich Powell Director, CIP Compliance JEA

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

SQL Injection Attacks and Defense

Application Security Approach

Cyber Security and Substation Equipment Overview

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

RiskSense Attack Surface Validation for Web Applications

. International Journal of Advance Research in Engineering, Science & Technology. Identifying Vulnerabilities in Apache Cassandra

High Secure Web Service to Resolve Different Web Vulnerabilities

Configuring User Defined Patterns

Database Attacks, How to protect the corporate assets. Presented by: James Bleecker

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Application vulnerabilities and defences

SQL Injection Attack: Detection in a Web Application Environment

CSCE 548 Building Secure Software SQL Injection Attack

Technology White Paper of SQL Injection Attacks and Prevention

# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS

Will you be PCI DSS Compliant by September 2010?

Information and Software Technology

SQL Injection Attacks: Detection in a Web Application Environment

Unit Level Secure by Design Approach

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

- Table of Contents -

An Oracle White Paper September Security and the Oracle Database Cloud Service

Domain System Threat Landscape. Pablo Rodriguez Nic.pr Janelle McAlister - MarkMonitor

DreamFactory Security Guide

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

AUTOMATIC TUNING AND SEMANTIC BASED CLONE DETECTION OF ANDROID APPLICATIONS

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge

Vulnerabilities in online banking applications

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

The OWASP Foundation

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

COMP9321 Web Application Engineering

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Karthik Bharathy Program Manager, SQL Server Microsoft

Presentation by Brett Meyer

CASE STUDY: REGIONAL BANK

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Trusted DBMS Architecture. Trusted DBMS Architecture featuring Trusted OS

PT Unified Application Security Enforcement. ptsecurity.com

SQLUnitGen: Test Case Generation for SQL Injection Detection

SQL INJECTION IN WEB APPLICATIONS By Roshmi Choudhury,Officer (IT) Numaligarh Refinery Limited

@IJMTER-2016, All rights Reserved ,2 Department of Computer Science, G.H. Raisoni College of Engineering Nagpur, India

EasyCrypt passes an independent security audit

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

CIS 4360 Secure Computer Systems XSS

Course 40045A: Microsoft SQL Server for Oracle DBAs

Transcription:

IJIRST National Conference on Latest Trends in Networking and Cyber Security March 2017 Tautology based Advanced SQL Injection Technique A Peril to Web Application Kritarth Jhala 1 Shukla Umang D 2 2 Department of Information Technology 1 Digital Forensic Analyst Ahmedabad, India 2 SAL College of Engineering Ahmedabad, India Abstract In online era,sql Injection is the top most security breaches in web application applications' software they let the attackers to gain the unrestricted access to the heart of any web application called backend databases which underlying the applications and potentially sensitive information these databases contain. Although researchers and pentsters have proposed a variety of methods to address the SQL injection problem current approaches either fail to handle the full scope of the problem or have limitations that prohibit their use and adoption. Many researchers and practitioners are familiar with only a subset of the wide range of techniques available to attackers who are trying to take advantage of SQL injection vulnerabilities SQL Injection is a code injection technique which used to attack data-driven applications in which the malicious SQL statements are inserted into an entry field for execution code injection technique. The first public discussions of SQL injection started appearing around 1998.It is very common and dangerous vulnerability in web applications. Lot of techniques are there to exploit this vulnerability. This paper will focus on Advanced Authentication bypass using Tautology based injection (ex : ' OR '1' = '1) etc., with some other manipulations to gain different user accounts access. Key words: Advanced Sql injection techniques, data breaches, Web Application vulnerability, Bypassing authentication, identifying injectable parameters, extracting data I. INTRODUCTION Now a days the World Wide Web has witness a astounding growth of many online web applications which have been developed for achieving the various purposes. Now a days everyone having a touch with computer technology and somehow they connected online. To provide this huge number of users immense volumes of data are stored in web application databases in various parts of the globe. Infrequently the users have to communicate with the backend databases via the user interfaces to deal with the various tasks such as updating data, making queries, extracting data, and so forth. For all these operations design user interface plays an essential role and the quality of which has a great impact on the security of the stored data in the database. A vulnerable web application design may allow malicious injections on the backend database. This malicious injections can cause lots of damages and thefts of trusted users sensitive data by unauthorized users. In the worst case the attacker may gain full control over the web application and totally destroy the system. This is successfully achieved through various techniques of SQL injection attacks on the online Web application database. Fig. 1: Basic SQL Injection Workflow In this paper we are going to represent a tautology based sql injection attack. Basically tautology based attack is an advanced sql injection technique. In a tautology based attack the code is injected using the conditional operator "OR "and also the query always evaluates to "TRUE ". Tautology based sql injection attacks are usually bypass user authentication and extract data by inserting a tautology in the "WHERE " clause of a sql query. Result of the query transform the original condition into a tautology that causes all the rows in the database table are open to an unauthorized user. IJIRST 2017 Published by IJIRST 32

II. BACKGROUND INFORMATION Web based attacks can also be characterized based on the goal of the attacker. So, whatever attack type definitions that we provide here includes a list of one or more of the attack intents defined in this section. A. Identifying injectable parameters: The attacker wants to probe a web application to discover which parameters and user-input fields are vulnerable to sqli. B. Performing database finger-printing: The attacker wants to discover the type & the version of database that used by the web application. Few databases respond differently to different queries and attacks. By knowing the type and version of the database that used in a web application allows an attacker to craft database specific attacks. C. Determining database schema: To correctly extract data from a database the attacker often needs to know database schema information such as table names, column names and data types. D. Extracting data: These attacks employ techniques which will extract data values from the database. Depending on the type of the web application this information could be sensitive and highly desirable to the attacker. Attacks with this intent are the most common type of SQLIA. Adding or modifying data: The goal of these attacks is to add or change information in a database. E. Performing denial of service: These attacks are performed to shut down the database of a Web application, thus denying service to other users. Attacks involving locking or dropping database tables also fall under this category. F. Evading detection: This category refers to certain attack techniques that are employed to avoid auditing and detection by system protection mechanisms. G. Bypassing authentication: The goal of these types of attacks is to allow the attacker to bypass database and application authentication mechanisms. Bypassing such mechanisms could allow the attacker to assume the rights and privileges associated with another application user. H. Executing remote commands: These types of attacks attempt to execute arbitrary commands on the database. These commands can be stored procedures or functions available to database users. Performing privilege escalation: These attacks take advantage of implementation errors or logical flaws in the database in order to escalate the privileges of the attacker. As opposed to bypassing authentication attacks, these attacks focus on exploiting the database user privileges. III. METHODOLOGY First, A Tautology is a formula and it is true in every possible interpretation. The general goal of tautology-based injection is to inject code in one or more conditional statements so that they always evaluate to true. The most common usage are to bypass authentication pages and extract data. In this type of injection an attacker exploits an injectable field that is used in WHERE condition of a query. Transforming the conditional into a tautology causes all of the rows in the database table targeted by the query to be returned. In general, for a tautology-based attack to work an attacker must consider not only the injectable/vulnerable parameters but also the coding constructs that evaluate the query results. For Example: Bypassing login script. This query take input from the system user, let assume the user enters: Password : a' OR '1' = '1 Constructed query: SELECT name from users where username='a' OR '1' = '1' AND password='a' OR '1' = '1'; 33

Fig. 2: Tautology based injection Fig. 3: Tautology based injection The code injected in the conditional (OR 1=1) transforms the entire WHERE clause into a tautology. The database uses the conditional as the basis for evaluating each row and deciding which to return. Because the condition, the query evaluates to true for each row and returns all of them. This would cause this user to be authenticated as the user whose data is in the first row in the returned result set. Above mentioned query technique will return all possible records from database and user will authenticated with first record and attacker will gain access to first user data. If the first user is admin user then attacker can take advantage of all functionality of that database. If the first user is a normal user and having limited access then the attacker is limited to available functionality, attacker cannot enjoy the power of authentication bypass. Can we overcome from the described scenario regarding mentioned limited access problem? here is the solution is by using ORDER BY clause Example: Authentication bypass of any other user Now lets assume the user enters: Password : a' OR '1' = '1' ORDER BY 1 DESC/ASC-- Constructed query: SELECT name from users where username='a' OR '1' = '1' AND password='a' OR '1' = '1' ORDER BY 1-- ; The code injected in the condition (OR 1=1 ORDER BY 1) transforms the entire WHERE clause into a tautology as well as ORDER BY will sort the result by using first column. So there is a possibility of first column change. If so the attacker will be authenticated as another user. Attacker can gain access the number of users in total of column numbers and ASC or DESC combinations. This will work till some extent suppose the users table contains 3 columns, attacker can perform (3(Columns) X 2(ASC/DESC)) = 6 possible users. Fig. 4: Tautology based injection - ORDER BY 34

Is there any possibility of exploring more users? Yes we can use LIMIT in MySql, ROWNUM in Oracle, OFFSET ROWS FETCH NEXT ROWS in MS SQL Server. Example: Authentication bypass specify row number Fig. 5: Tautology based injection mysql DB - LIMIT MySQL Database Let assume user enters: Password : a' OR '1' = '1' LIME 0,1-- Constructed query: SELECT name from users where username='a' OR '1' = '1' AND password='a' OR '1' = '1' LIMIT 0,1--; The code injected in the condition (OR 1=1 LIMIT 0,1) transforms the query to select first row from table. LIMIT SIZE,OFFSET is the criteria. Attacker can change OFFSET to get that specific record from table. OFFSET 2 means 3rd record in table. Likewise we can iterate through all the records from table. This technique will work with MySQL Database. Oracle Database Let the user enters: Password : a' OR '1' = '1' AND ROWNUM = 1-- Constructed query: SELECT name from users where username='a' OR '1' = '1' AND password='a' OR '1' = '1' AND ROWNUM = 1--; The above constructed query will select first row from table. As attacker can be able to manipulate ROWNUM and can iterate through all records from table. MS SQL Server Database Let the user enters: Password : a' OR '1' = '1' ORDER BY ID OFFSET 1 ROWS FETCH NEXT 1 ROWS ONLY-- Constructed query: SELECT name from users where username='a' OR '1' = '1' AND password='a' OR '1' = '1' ORDER BY ID OFFSET 1 ROWS FETCH NEXT 1 ROWS ONLY--; The above constructed query will select first row from table. As attacker can be able to manipulate OFFSET position and can iterate through all records from table. This is how attacker can navigate through all records available in authentication table. IV. CONCLUSION In this paper, we have presented a unique and advanced techniques to performing the SQLIAs and taking the access of the vulnerable websites. To perform this advanced techniques, we first identified the various types of SQLIAs known to date. Then we evaluated the considered techniques in terms of their ability to the detection. We also studied still there are different mechanisms through which SQLIAs can be introduced into a vulnerable application and identified which techniques were able to handle which mechanisms. Our research found several general trends in the results. Many of the techniques have problems handling attacks that take advantage of poorly-coded stored procedures and cannot handle attacks that disguise themselves using alternate encodings. We also found a general distinction in prevention abilities based on the difference between prevention-focused and general detection and prevention techniques. Future evaluation work should focus on evaluating the techniques precision and effectiveness in practice. Empirical evaluations such as those presented in related work would allow for comparing the performance of the different techniques when they are subjected to real-world attacks and legitimate inputs. REFERENCES [1] C. Anley. Advanced SQL Injection In SQL Server Applications. White paper, Next Generation Security Software Ltd., 2002. 35

[2] C. Anley. (more) Advanced SQL Injection. White paper, Next Generation Security Software Ltd., 2002 I.S. Jacobs and C.P. Bean, Fine particles, thin films and exchange anisotropy, in Magnetism, vol. III, G.T. Rado and H. Suhl, Eds. New York: Academic, 1963, pp. 271-350. [3] Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., and Tao, L., A Static Analysis Framework for Detecting SQL Injection Vulnerabilities. Proc. 31st Annual International Computer Software and Applications Conference 2007 (COMPSAC 2007), 24-27 July (2007), pp. 87-96. [4] Thomas, S., Williams, L., and Xie, T., On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology, Volume 51 Issue 3, March 2009, pp. 589 598. [5] Junjin, M., An Approach for SQL Injection Vulnerability Detection. Sixth International Conference on Information Technology: New Generations 2009 (ITNG '09), 27-29 April, 2009, pp. 1411-1414. [6] Web Security Dojo, available at: http://www.mavensecurity.com/web_security_dojo/, last accessed 11 June, 2013. [7] C. A. Mackay. SQL Injection Attacks and Some Tips on How to Prevent Them. Technical report, The Code Project, January 2005. http://www.codeproject.com/cs/database/ SqlInjectionAttacks.asp. [8] T. M. D. Network. Request.servervariables collection. Technical report, Microsoft Corporation, 2005. http://msdn.microsoft.com/library/default. asp?url=/library/en-us/iissdk/html/ 9768ecfe-8280-4407-b9c0-844f75508752.asp [9] G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70 78, 2004. [10] F. Valeur, D. Mutz, and G. Vigna. A Learning-Based Approach to the Detection of SQL Attacks. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005 [11] W. G. Halfond and A. Orso. Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In Proceedings of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), pages 22 28, St. Louis, MO, USA, May 2005. 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback