SURVEY OF SQL INJECTION

ATTACKS
Contents
Introduction:..........................................................................................................................................1
Background Examples:...........................................................................................................................3
Related work and SQLIA observations:..................................................................................................3
Implementation of the MVC architecture to an organization:..............................................................3
Using stored procedures instead of implementation of direct queries:................................................3
Protection of SQL injection:...................................................................................................................4
Implementation decision:......................................................................................................................4
SQL SIGNATURE FILTERING....................................................................................................................5
Conclusion:............................................................................................................................................5
REFERENCES:.........................................................................................................................................6

Introduction:
With the development of the Global Web service, organizations are beginning to become more and
more complex about how to use their websites. Today the site has become a very basic need for our
community. But with the widespread use of the internet, some malicious users are starting to act in
a negative direction which is damaging the organization’s website, and these users are known as
cybercriminals or website attackers. SQL injection attacks.

The attack made by the malicious users inserts the unauthorized statements into the entry fields of
the programs. The threat of SQL Injection to the database will cause interference to the system's
queries to the database. The attack made on the database will cause the malicious user to
manipulate data stored in the database management system, and the attacker may access an
inability to retrieve data (Saxena et al. 2019). The SQL injection can be in the form of NoSQL
Injection, which leads to the insertion and injection of malicious statements and codes into the items
responsible for holding big data like the Map Reduction. The malicious attacker, having released the
SQL Injection and the NoSQL Injection, will have no impediment and restriction to access the
targeted database. However, it may result in manipulation of data to correct their purpose, denial of
service to users, holding the data for redemption, theft or destruction of data leaving the
organization unfit for business. A study done on the impact of SQL injection to the system where the
attacker initiates unauthorized access to the organization’s data by stealing the passwords and
confidential information.

An ideal example an organization can protect itself from the SQL attacks is to clean up the inputs. In
addition, the developers must disable the visibility of a database error. Database errors can be used
with SQL injections to obtain information about the database (Beta, 2018).

An attacker can compromise the entire system without being noticed. He creates a backdoor to
access the system when it seems appropriate, doing malicious activity to the data for a long time
without being noticed (Boyd et al. 2020, June). For example, an attacker may decide to bind an SQL
injection. When a user queries the database with an application, the verified query results are not
returned as responses from the application.

(SQLIA) is one of the most significant threats to the security of online programs, and SQL entries are
one of the most dangerous types of vulnerabilities. SQLIA is easy to learn and exploit, so attackers
can easily use this attack method. Also, many traditional and important security systems that have
different layers of security, such as firewalls, encryption, virus detection systems, antivirus programs,
and anti-malware programs, cannot detect such an attack. SQLIA technologies are becoming more
common, more ambitious, easy to learn / implement, and increasingly advanced, so an effective and
practical solution to this problem is needed in the cybersecurity community. SQL is a related text
database language. There are many types of SQL. But the differences between the various dialects
are small. SQL functions are divided into two categories:

It is a method by which the parameters of a web-based application are modified to change the SQL
statements passed to the database in the background. An attacker can insert a series of SQL
statements into a query by manipulating the data input, for example by adding a single quote (') to
the parameters. A second query can be executed using the first [1]. Programmers often associate
SQL commands with user-supplied parameters, so they can embed SQL commands within these
parameters. This is known as dynamic SQL. It should be noted that dynamic SQL must be used in the
application, otherwise SQL input is not possible. SQL injection is described as a dangerous "code
hole" like any hole in IIS [2] [3]. An attack on the database using SQL injection can have three main
objectives: 1) Steal data from the database where it should not normally be available. 2) Obtain
system configuration data that allow to build an attack profile. An example of this is having all the
hashes of a database password so that passwords can be severely enforced. To access the host
computers of an organization through the device that hosts the database, this can be done using
packet routines and 3GL extensions that allow access to O / S [4].
Background Examples:
SQLIA occurs when an attacker causes a web application to create SQL queries that are functionally
different from what the UI programmer intended. For example, consider an application that deals
with the details of the author. A typical SQL statement looks like this: specify the ID, first, and last
name of the authors; This declaration will retrieve the columns "aman", "contacts" and "phone
numbers" from the table "writters" and will return all the rows from the table. In this there are many
of the tools that are you to find the basic point of the sql injections and by this many of the website
are penetrating.

Related work and SQLIA observations:

There are four main classes of SQLIA against databases:

1) SQL Processing: Processing is the process of modifying SQL statements using different operations
such as UNION. Another way to implement SQL injection using the SQL manipulation method is to
change where the clause is in the SQL statement to get different results.

2) Code entry: Code entry is the process of inserting new SQL statements or database commands
into a committed SQL statement. A code injection attack consists of adding a SQL Server EXECUTE
command to the SQL Vulnerable statement. This type of attack is only possible when multiple SQL
statements are supported per database request.

3) Function call injection: Function call injection is the process of inserting calls from various
database functions into a weak SQL statement. These worker calls can make calls to the operating
system or manipulate data in the database.

4) Buffer overflows - Buffer overflows occur when using function call injection. For most commercial
and open-source databases, fixes are available. This type of attack is possible when the server is not
patched.

Implementation of the MVC architecture to an organization:

Using applications that have MVC architecture has a natural way of offering protection to the data
by detecting the codes in the input field of an application form (Beta, 2018). If the mechanism is
database-enabled, then the malicious user will have no way of exploiting the system.

Using stored procedures instead of implementation of direct queries:

The use of stored procedures to ensure that the parameters are use. The procedures follow a set of
Dart routing technique that makes it difficult for the users to access and modify. This is the only
method of ensuring the security of data in the database is heightened.

Fundamentally explores on the importance of understanding the SQL injections because there exist
various forms of attacks with various intentions such as Piggy-backed Query, stored procedures, and
Union Query, among others. Web-applications should sanitize their inputs, to make it hard for the
attackers to launch a direct insertion of a code to the parameters that are finally linked to the SQL
executions. It is important to note that web-Applications risk attacks when the application fails to
properly sanitize the inputs, which is then making the attacker alter the construction of a back-end
SQL statement. A web-application that fails to sanitize its inputs is highly risking the losing data
which is essentially catastrophic to an organization.

Organizations largely depends on its capital and human resource capacity to attain its organizational
objectives. This type of hack begins in your website. It can be executed directly on a web application
such as the login module. Other areas that SQL Injection can be executed include the search box,
URL box and any form fields on your web application. Whichever location that SQL Injection is
executed, the target is your database server. A hacker will begin by analysing these soft targets to
identify any weaknesses This can be done using selected SQL Injection statements. After identifying
the weaknesses, the hackers can create malicious SQL statements and send them to your underlying
database server. The output received can be sensitive data or authentication credentials. Nowadays,
even hacking has become automated. There is a multitude of tools that hackers use to penetrate
database servers using SQL Injection such as SQL Map. This type of hacking tool only requires that
you provide a website URL. Having done that, it will perform an SQL Injection attack for you.

Protection of SQL injection:

A parameterized query is one where the parameters are replaced with placeholders. Furthermore,
the values of the parameters are delivered at the point of execution. Parameterized queries can be
made possible through numerous programming languages such as JavaScript, mvc C#, and DART.

Implementation decision:
The current document aims to eliminate the possibility of SQL injection using a proxy server, which
will be placed between the two communication devices. This will allow you to filter out possible SQL
injection attempts. The information flow diagram shows the flow of information between a TDS
proxy server within this project domain and other entities and abstractions with which it
communicates. A diagram helps to discover the scope of the system and to define the limits of the
system. The system under investigation (TDS Proxy) is represented as a single process that interacts
with various data flow entities and resources through an interface.

SQL SIGNATURE FILTERING

The ideal solution is to create a filter that checks all possible instances of SQL injection. The problem
with this is that it is not possible to define a list of all possible injection sequences [10]. This is what
was suggested [24] in their article on "Avoid SQL injection of signatures". However, going back to the
principle of least privilege, using the whitelist, it is possible to define what is allowed and thus avoid
invalid signatures. The filter application should be as close to the database as possible. Ideally, it
should be sitting on the same backbone of the database; However, this could have a performance
impact due to the proxy server's filtering process. If the filtering and database enforcement are on
different devices, there is a security risk as network traffic travels from one device to another. With
filtering on the same device as the database, there are several benefits. There is additional security
as network traffic is limited.

• Processing time is reduced because network latency has no additional effect on round trip time.
Filtering provides a last resort to defend your database. There are some advantages to using SQL
signature filtering as a precaution for SQL injection.

• Real-time analysis does not affect the database [10]. Any failure to configure the database
privileges or application encryption will not affect the security of the database. However, there are
several disadvantages.

• False positives can also be filtered [3].

Conclusion:
There are many vulnerable applications whose code will not be reviewed or corrected, and it is
known that programmers will continue to produce weak applications. According to [10], there are no
commercial solutions for SQL injection. However, previously several later software packages were
found that purport to air SQLIA. Auditing of all source code and dynamic input protection is not
trivial. Nor have you reduced the permissions for all users of the application in the same database.
Checking the log files and relying on the principle of least privilege is not enough. Passive SQL
injection detection is not as useful as real-time blocking. Using a packet sniffer does not block SQL
injection, since malicious SQL query statements cannot be removed from packets. This document
introduces SQL and SQL injection, explains background research, discusses methods to protect
against SQL injection, and introduces software that is on the market today. Given the fact that there
is a limited set of words in the SQL vocabulary, it seems that it is possible to develop a filter to avoid
SQL injection.

REFERENCES:

References
[1] Anley, C. (2002) Advanced SQL Injection in SQL Server Applications. White Paper, Next
Generation Security Soft-
ware Ltd.
[2] Overstreet, R. (2004) Protecting Yourself from SQL Injection Attacks.
http://www.4guysfromrolla.com/webtech/061902-1.shtml.
[3] Imperva Inc. (2004) SQL Injection-Glossary.
http://www.imperva.com/application_defense_center/glossary/sql_injection.html
[4] Finnigan, P. (2002) SQL Injection and Oracle. Part One.
http://www.securityfocus.com/infocus/1644
[5] Huang, Y., Huang, S., Lin, T. and Tsai, C. (2003) Web Application Security Assessment by
Fault Injection and Beha-
vior Monitoring. http://doi.acm.org/10.1145/775152.775174
[6] Microsoft (2003) Secure Multi-Tier Deployment.
http://www.microsoft.com/technet/prodtechnol/SQL/2000/maintain/sp3sec03.mspx
[7] Hotchkies, C. (2004) Blind SQL Injection Automation Techniques.
http://www.blackhat.com/html/bh-media-archives/bh-archives-2004.html#USA-2004
[8] Microsoft (2003) Checklist: Security Best Practices.
http://www.microsoft.com/technet/prodtechnol/SQL/2000/mainain/sp3sec04.mspx
[9] Beyond Security Ltd. (2002) SQL Injection Walkthrough.
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
[10] Finnigan, P. (2003) Detecting SQL Injection in Oracle. http://securityfocus.com/infocus/1714