INJECTION ATTACKS

By Gerald Pine

WHAT IS AN INJECTION ATTACK?

An Injection attack is used to attack data driven applications.

Instead of data, a malicious SQL statement is inserted into the entry field for execution.

The SQL injection must target a security vulnerability in the applications software.

SQL injection attacks are the number one attack types.

HOW DOES AN INJECTION ATTACK WORK?

Instead of inserting data into an entry field, the attacker inserts a code that can do a variety of different things.

The code can pull up a record of users or even delete the whole table of users.

Can be used to retrieve names, credit card numbers with expiration dates or anything in the customer database.

Retail web sites are attacked twice as often as regular web applications.

TYPES OF INJECTION ATTACKS!

Classic SQLI-The data entry field is not properly filtered for escape characters or incorrect type handling allowing the attacker to run the code.

Blind or Inference SQL injection-Just like Classic, however the attacker can’t see the results of the injection…..very time consuming but can be automated.

Conditional response-A type of Blind injection. The attacker can inject code and get information a piece at a time.

TYPES OF INJECTION ATTACK!

Compound SQLI-SQL injection attacks combined with DDoS, DNS hijacking, or other forms of attacks.

Second order SQL injection-Submitted values are saved rather than executed immediately. Much harder to prevent, however the attacker would have to have more knowledge of how submitted values are later used. Automated scanners would not easily detect this type of SQL injection.

WAYS TO MITIGATE SQL INJECTION!

Parameterized statements-Only allows values to be entered so no SQL code can be used.

Enforcement at coding level-Using Object –relational mapping instead of coding avoids the need to write SQL code. The library will generate parameterized SQL statements.

Escaping-Creates a comprehensive blacklist of characters that aren’t authorized.

WAYS TO MITIGATE SQL INJECTION!

Pattern check-Certain parameters can be checked if their value is valid or not.

Database permissions-Limiting permissions on the database logon used by the web application to only what is needed may help reduce the effectiveness of any SQL injection.

INJECTION ATTACKS CONCLUSION

Can be used to gain any information stored in database format.

Different types of attacks. Mitigation is key to lessening the success of an

SQL injection attack.