What is Sql injection
A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information.
Two types of Sql injection attacks -
First order attack - Attacker harm the DB immediately, when attacker passes some malicious query via any web application to DB.
Example 1 -
User id -> hi' or 1=1;--
Password -> hello' or 1=1;--
This will enter the user in.
Example 2 - If web application displaying some data in three columns with some filter criteria. If attacker type below given string in criteria then it will show name, type and id of sysobject table with application data.
' UNION SELECT name, type, id FROM sysobjects;--
Now attacker can type below given string, it will show columns and their lenths of a perticular table of given id.
' UNION SELECT name, '', length FROM syscolumns WHERE id = 1845581613;--
Now attacker have enough information to destory your DB. Now below given string can be passed to criteria, it will provide admin user details.
' UNION SELECT UserName, Password, IsAdmin FROM Users;--
Second order attack - In this type of attack, attacker stores malicious queries to our database, those executes when ever we fetch that data from database.
Attacker saves malicious query into the database using any data submition form. like this
INSERT Favourites (UserID, FriendlyName, Criteria) VALUES(123, 'My Attack', ''';DELETE Employee;--')
When criteria will be picked by website like
SELECT Criteria FROM Favourites WHERE UserID= 123
query will become
SELECT '';DELETE Employee;--FROM Favourites WHERE UserID= 123
How to protect from Sql injection attacks
1. Data encryption - Fields like password can be stored as encrypted form. So given password will match with stored encrypted password in DB after Decryption.
2. Least DB Privileges - Using full privileges attacker can get information of database as well as hard drives of server(using xp_cmdshell). It can be harful for Db and hard drives.
3. Least previleges to Sql proccess account- When Sql server installed on a system, it creates a service that processes request of application to db. This service uses local system account. This service is even more powerfull than administrator account.
An attacker can get access to sql server(using xp_cmdshell) then it can gain unrestricted access to system also.
At the time of installation give only required privilages to the service.
4. Validating inputs - Validate inputs from user before sending them to process. you can use Regex for matching patterns. Like ensure a date input is a date, a numeric input is numeric.
5. Using Stored procedures - If you interact with database fully via stored procedures than no need to give permission to any user on any table. It can protect to run unauthorised queries on tables.
6. Re-Validate input data in Procedures - Validate input parameters of stored procedure before processing them. It can protect DB from unauthorized execution of stored procedures.
7. Hide exception details - Never show internal details of exception, to the user(Like ex.message).
A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information.
Two types of Sql injection attacks -
First order attack - Attacker harm the DB immediately, when attacker passes some malicious query via any web application to DB.
Example 1 -
User id -> hi' or 1=1;--
Password -> hello' or 1=1;--
This will enter the user in.
Example 2 - If web application displaying some data in three columns with some filter criteria. If attacker type below given string in criteria then it will show name, type and id of sysobject table with application data.
' UNION SELECT name, type, id FROM sysobjects;--
Now attacker can type below given string, it will show columns and their lenths of a perticular table of given id.
' UNION SELECT name, '', length FROM syscolumns WHERE id = 1845581613;--
Now attacker have enough information to destory your DB. Now below given string can be passed to criteria, it will provide admin user details.
' UNION SELECT UserName, Password, IsAdmin FROM Users;--
Second order attack - In this type of attack, attacker stores malicious queries to our database, those executes when ever we fetch that data from database.
Attacker saves malicious query into the database using any data submition form. like this
INSERT Favourites (UserID, FriendlyName, Criteria) VALUES(123, 'My Attack', ''';DELETE Employee;--')
When criteria will be picked by website like
SELECT Criteria FROM Favourites WHERE UserID= 123
query will become
SELECT '';DELETE Employee;--FROM Favourites WHERE UserID= 123
How to protect from Sql injection attacks
1. Data encryption - Fields like password can be stored as encrypted form. So given password will match with stored encrypted password in DB after Decryption.
2. Least DB Privileges - Using full privileges attacker can get information of database as well as hard drives of server(using xp_cmdshell). It can be harful for Db and hard drives.
3. Least previleges to Sql proccess account- When Sql server installed on a system, it creates a service that processes request of application to db. This service uses local system account. This service is even more powerfull than administrator account.
An attacker can get access to sql server(using xp_cmdshell) then it can gain unrestricted access to system also.
At the time of installation give only required privilages to the service.
4. Validating inputs - Validate inputs from user before sending them to process. you can use Regex for matching patterns. Like ensure a date input is a date, a numeric input is numeric.
5. Using Stored procedures - If you interact with database fully via stored procedures than no need to give permission to any user on any table. It can protect to run unauthorised queries on tables.
6. Re-Validate input data in Procedures - Validate input parameters of stored procedure before processing them. It can protect DB from unauthorized execution of stored procedures.
7. Hide exception details - Never show internal details of exception, to the user(Like ex.message).
No comments:
Post a Comment