Detecting and Preventing SQL Injections {2}

by Kathy S
In this article journal the authors discuss how web applications are often vulnerable for attackers to easily access the application’s underlying database. They define an SQL injection as a type of attack which the attacker adds Structured Query Language code to a web form input box to gain access or make changes to data. In the article, the authors/researchers propose different tools to detect and prevent this vulnerability. The main consequences of these vulnerabilities are attacks on authorization, authentication, confidentiality, and integrity.  One of the proposed techniques to prevent SQLIAs (SQL Injection Attacks) is called WAVES, which is a black-box technique for testing web applications for SQL injection vulnerabilities. The tool identifies all points a web application can be used to inject SQLIAs. It builds attacks that target these points and monitors the application’s response to the attacks by utilizing machine learning. Other tools that help prevent SQLIAs are:  JDBC-Checker, CANDID, and SAFELI, AMNESIA, SQL Guard and SQL check, and WebSSARI. The author’s go into much detail explaining what each tool does to prevent SQLIAs and how they work. They test these tools and explain their results at the end of the article. If interested, I’d recommend reading the whole article to find more information. read more...

Augmented Attack Tree Modeling of SQL Injection Attacks {Comments Off on Augmented Attack Tree Modeling of SQL Injection Attacks}

by Jungh K
For this week’s blog assignment, I read an article, titled “Augmented Attack Tree Modeling of SQL Injection Attacks”.  The authors state that SQLIAs (SQL Injection Attacks) are the most frequently used and damaging attack methods according to the OWASP 2010 report.  Even though conventional attack trees are widely used, they lack in sufficient information for analysis of SQLIAs and therefore the authors propose augmented attack tree modeling to “link regular expressions capturing generic signatures to different types of SQLIAs”.  The authors outline seven types of SQLIAs, which are tautologies, illegal/logically incorrect queries, UNION query, piggy-backed queries, stored procedures, and inference and alternate encodings.  Also, the authors state that any one of the attack types can achieve the following ten kinds of attack goals:  identify injectable parameters, identify database finger-prints, determine database schema, extract data, add or modify data, perform DoS, evade detection, bypass authentication, execute remote commands, and escalate privilege.  In order to categorize the attack types, the authors utilize regular expressions to define specific signatures.  For instance, there are three key parts for the tautology query attacks to work.  Therefore, a regular expression to catch OR, true condition, and comment mark in the injected code is defined as a signature for tautology query attacks.  The authors lay out specific regular expressions for five out of the seven attack types discussed in the article.  This approach, according to the authors, captures attack types as well as the states of an attack that the convention attack trees are only capable of displaying.  The augmented attack tree modeling can be applied to evaluate and to study all the possible threats. read more...