Professional Documents
Culture Documents
Members:
Title:-
Apply SQL (Structured Query Language) Injection to demonstrate that user
should never click random links to avoid any attacks.
Problem Statement:-
To developed two separate web pages for implementing XSS and SQL
injections attacks.
Theory :-
What is SQL Injection
SQL injection, also known as SQLI, is a common attack vector
that uses malicious SQL code for back end database manipulation to access
information that was not intended to be displayed. This information may
include any number of items, including sensitive company data, user lists or
private customer details.
SQL injection is a code injection technique, used to attack data-driven
applications, in which nefarious SQL statements are inserted into an entry
field for execution (e.g. to dump the database contents to the attacker). SQL
injection must exploit a security vulnerability in an application's software, for
example, when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly typed
and unexpectedly executed. SQL injection is mostly known as an attack
vector for websites but can be used to attack any type of SQL database.
The impact SQL injection can have on a business is far reaching. A
successful attack may result in the unauthorized viewing of user lists, the
deletion of entire tables and, in certain cases, the attacker gaining
administrative rights to a database, all of which are highly detrimental to a
business.
SQL injection attacks allow attackers to spoof identity, tamper with
existing data, cause repudiation issues such as voiding transactions or
changing balances, allow the complete disclosure of all data on the system,
destroy the data or make it otherwise unavailable, and become administrators
of the database server.
Risk factors
Platform that can be affected from SQL injections
SQL language
Any platform that supports SQL.
Main Consequences
Confidentiality
Authorization
Integrity
Authenticity
How to Prevent an SQL Injection
The only sure way to prevent SQL Injection attacks is input
validation and parameterized queries including prepared statements. The
application code should never use the input directly. The developer must
sanitize all input, not only web form inputs such as login forms.
They must remove potential malicious code elements such as
single quotes. It is also a good idea to turn off the visibility of database errors
on your production sites. Database errors can be used with SQL Injection to
gain information about your database.
If you discover an SQL Injection vulnerability, for example using
an Acunetix scan, you may be unable to fix it immediately. For example, the
vulnerability may be in open source code. In such cases, you can use a web
application firewall to sanitize your input temporarily.
To learn how to prevent SQL Injection attacks in the PHP
language, see: Preventing SQL Injection Vulnerabilities in PHP Applications
and Fixing Them. To find out how to do it in many other different
programming languages, refer to the Bobby Tables guide to preventing SQL
Injection.
a) Error-based SQLi
Error-based SQLi is an in-band SQL Injection technique that relies on error
messages thrown by the database server to obtain information about the structure of the
database. In some cases, error-based SQL injection alone is enough for an attacker to
enumerate an entire database. While errors are very useful during the development phase
of a web application, they should be disabled on a live site, or logged to a file with
restricted access instead.
b) Union-based SQLi
Union-based SQLi is an in-band SQL injection technique that leverages the
UNION SQL operator to combine the results of two or more SELECT statements into a
single result which is then returned as part of the HTTP response.
3) Out-of-band SQLi
Out-of-band SQL Injection is not very common, mostly because it
depends on features being enabled on the database server being used by the
web application. Out-of-band SQL Injection occurs when an attacker is
unable to use the same channel to launch the attack and gather results.
Out-of-band techniques, offer an attacker an alternative to inferential
time-based techniques, especially if the server responses are not very stable
(making an inferential time-based attack unreliable).
Out-of-band SQLi techniques would rely on the database server’s
ability to make DNS or HTTP requests to deliver data to an attacker. Such is
the case with Microsoft SQL Server’s xp_dirtree command, which can be
used to make DNS requests to a server an attacker controls; as well as Oracle
Database’s UTL_HTTP package, which can be used to send HTTP requests
from SQL and PL/SQL to a server an attacker controls.
Conclusion :-
We have developed two separate web pages for implementing XSS and SQL
injections attacks.
In first webpage we have implemented a normal form for user information. In
this insecure web page we implemented PHP program that successfully
implements SQL and XSS attacks. With this page one can implement the
attacks by putting queries in forms. By this we can access whole database
information.
In opposite to that in secure webpage no one can implement SQL injections
and XSS attacks as attacks have been disabled. There is also external attack
that can be performed if user clicks on reload link given. This is to
demonstrate that user should never click random links to avoid any attacks.