SQL injection

SQL Injection {Comments Off on SQL Injection}

By Winston L.

Database is a brilliant invention in this age of technology. From the Database page on Wikiperdia, database has existed for 45 years since when first proposed by Edgar Codd in 1970, however, not until the computer hardware’s capability became strong enough to handle large data processing were the database concept and database management systems (DBMS) widely implemented. After the birth of Internet, the demand for a decent application to manage large database increased even higher, and it is partly because people have found that database can be used to utilize everything, from business to scientific research. Nowadays, there are many major DBMS, such as IBM DB2, MS SQL, MySQL, and Oracle. All of them are based on the standardized SQL language, and that makes them vulnerable to one simple but very dangerous attack on the database, the SQL Injection. In this blog, SQL Injection attack technique, its impact, its victims, and prevention solutions will be discussed.

read more...

Database Breach {10}

Database Breaches: Target

As technology grows at an ever faster rate, people scramble to keep up with the new changes. New systems are released; new patches, new servers, and more and more new technologies are being developed such as the cloud. Computer infrastructures such as the Google’s data bases or Sony’s Playstation Network have the challenge to maintain which is very hard on a large scale and expensive to keep up to date. With the quickly changing environment of technology, it is only becoming more difficult to stay up to date as time progresses into the future of new unknown technology advances.

read more...

Dozens of College Servers Breached by SQL Injection {2}

Not only is the design and performance of databases an important aspect in the way databases work, but also the security of a database. There are many types of attacks that can be done to a database and the most common is a SQL injection. In a news article from CNET, hackers were able to collect thousands of personal data of students from college databases worldwide through the use of SQL injections. More than fifty universities were affected, and some of the top name colleges include Harvard, Princeton, and Stanford. To make matters worse, some 140,000 records were posted online for all to download. The information includes usernames and passwords, addresses, phone numbers, and some payroll information regarding both students and faculty. The mastermind behind this data dump is apparently by a group called GhostShell, whose intent was not to reveal personal data, but was to “focus on higher education.” However, the group not only found personal data, but also discovered that malware were already injected in the first place, showing the security risks many of these database servers have.

read more...

Augmented Attack Tree Modeling of SQL Injection Attacks {Comments Off on Augmented Attack Tree Modeling of SQL Injection Attacks}

For this week’s blog assignment, I read an article, titled “Augmented Attack Tree Modeling of SQL Injection Attacks”.  The authors state that SQLIAs (SQL Injection Attacks) are the most frequently used and damaging attack methods according to the OWASP 2010 report.  Even though conventional attack trees are widely used, they lack in sufficient information for analysis of SQLIAs and therefore the authors propose augmented attack tree modeling to “link regular expressions capturing generic signatures to different types of SQLIAs”.  The authors outline seven types of SQLIAs, which are tautologies, illegal/logically incorrect queries, UNION query, piggy-backed queries, stored procedures, and inference and alternate encodings.  Also, the authors state that any one of the attack types can achieve the following ten kinds of attack goals:  identify injectable parameters, identify database finger-prints, determine database schema, extract data, add or modify data, perform DoS, evade detection, bypass authentication, execute remote commands, and escalate privilege.  In order to categorize the attack types, the authors utilize regular expressions to define specific signatures.  For instance, there are three key parts for the tautology query attacks to work.  Therefore, a regular expression to catch OR, true condition, and comment mark in the injected code is defined as a signature for tautology query attacks.  The authors lay out specific regular expressions for five out of the seven attack types discussed in the article.  This approach, according to the authors, captures attack types as well as the states of an attack that the convention attack trees are only capable of displaying.  The augmented attack tree modeling can be applied to evaluate and to study all the possible threats.

read more...

Tips to Reject the SQL Inject {2}

Gery Menegaz’s article (2012), “SQL Injection Attack: What Is It, and How to Prevent It,” is an informative response to Yahoo!’s recent SQL injection attack. The article warns that websites are frequently attacked because there are many websites that have SQL injection vulnerabilities and their databases hold sensitive information and “critical application information (Menegaz).” The author also advises that SQL injection is well documented, yet many websites still leave the databases exposed even though attacks can be very simple to prevent. Menegaz, also includes in the article code that anyone can use to find forums and websites that show how to attack vulnerable websites and databases. The article’s author recommends the “SQL Injection Prevention Cheat Sheet” on The Open Web Application Security Project (OWASP) website to combat SQL Injection. OWASP’s cheat sheet consist of primary techniques which are: use of parameterized queries, use of stored procedures, escaping all user supplied input. Additional (secondary) defenses include minimizing privileges to every database account (least privilege) and white list input validation. In this article Menegaz summarizes OWASP’s SQL Injection Cheat Sheet. Details on the specific techniques can be found at the url https://www.owasp.org/ index.php/SQL_Injection_Prevention_Cheat_Sheet.

read more...

How to Reduce Damage from SQL Injection {1}

The article I read this week is “How to Prevent a SQL Injection Attack” by Tsveti Markova. Since many of us mentioned SQL injection on their post this and last week, I decided to look for ways to prevent/reduce damages from SQL injection attack. I choose this article because most of other articles are coding basis it was hard to understand. Since we just started to learn SQL quries, I wanted to look for more basic prevention principles that apply any programming language without knowing high level coding skills.

read more...

Removing Vulnerabilities in SQL Code {3}

The article I chose for this week is titled “Using Automated Fix Generation to Secure SQL Statements”.  The main purpose of the article is to propose a certain method of securing code from SQL injection attacks.  The article starts by stating that since 2002, more than half of all cyber attacks were done by exploiting input validation vulnerabilities.  SQL injection attacks accounted for 20% of all of those attacks.  For those who don’t know, an SQL injection attack is when a hacker inputs his or her own SQL statement in order to gain access to certain information.  The author’s proposed method of helping to prevent this kind of attack to java code is by using prepared statements rather than just plain text SQL statements.  His reasoning for this is that prepared statements limit the input that could affect the statement.  The author tested this by using prepared statements in five mock java programs which contained vulnerabilities.  Their conclusion was that the vulnerabilities were removed in each program.

read more...

SQL Injection Remains a Constant Threat {5}

The article that I picked this week is named “Black Hat is Over, But SQL Injection Attacks Presist” by Victor Cruz. The article starts off by talking about an attack that happened earlier this year to yahoo that resulted in a break and leak of 400,000 of usernames and passwords from Yahoo. It says that SQL attacks have also affected companies such as Sony and LinkedIn recently, so this is obviously still a large threat to companies. The author gives an example of SQL injection saying that “hackers visit a website and fill out a text field with a SQL statement such as 1+1=2, which the log-in field interprets as true, allowing it to pass as legitimate credentials (Cruz, 2012).” This causes the server to release confidential information accidently because it has been tricked into thinking that a valid user has logged into the system. The article goes on to state that “Privacy Rights Clearinghouse reported that 312 million data records have been lost since 2005 and 83% of hacking-related data breaches were executed via SQL injection attacks (Cruz, 2012).” The article goes on to talk about how they are developing more reliable software to look for SQL injections and decipher them from safe input. The tool in question is called “libinjection” and is able to sort through heaps of data by converting input into tokens and checking those resulting tokens for anything that maybe being sent to try and attack the server. The article finishes by saying that “SQL Injection attacks are automated and website owners may be blissfully unaware that their data could actively be at risk (Cruz, 2012).”

read more...

DDoS and SQL Injections {3}

The article I chose for this week is titled “Hackers Trade Tips On DDoS, SQL Injection” by Mathew J. Schwartz. The main focus of the article is on the activity of certain underground hacker forums. The data security firm Imperva monitored 18 forums and released a report saying that the two hottest topics were DDoS attacks and SQL injection attacks. A distributed denial of service attack involves flooding a network with fake packets in order to make it inaccessible. The other attack, an SQL injection, involves a hacker sending their own commands into a database. If it doesn’t have the right security, the hacker can easily use commands to access the information stored in the database. Imperva also announced that SQL injection attacks are the most used type of attack against website. This announcement was backed by the fact that many security experts believe that SQL injection attacks are what caused the breach in South Carolina state databases in which thousands of credit card and social security numbers were taken.

read more...

Use Same Account Name and Password on Every Service? {8}

The article I read this week is “One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now.” by MG Siegler. Title of this article caught my attention immediately. The author has raised up issue that people using same ID and Password on most of the service they signed up for. On December 2009, RockYou’s (the social network app maker) database got attacked. Hackers got around 32 million accounts’ full list of unprotected plain text passwords on their hand. Hackers used SQL injection method to attack RockYou database, it is one of the popular methods to attack databases. Hackers even posted sample of what they found.

read more...