SQL Injection: the Longest Running Sequel in Programming History

SQL Injection: the Longest Running Sequel in Programming History

Journal of Digital Forensics, Security and Law Volume 12 Number 2 Article 10 6-30-2017 SQL Injection: The Longest Running Sequel in Programming History Matthew Horner Norwich University, [email protected] Thomas Hyslip Norwich University, [email protected] Follow this and additional works at: https://commons.erau.edu/jdfsl Part of the Computer Law Commons, and the Information Security Commons Recommended Citation Horner, Matthew and Hyslip, Thomas (2017) "SQL Injection: The Longest Running Sequel in Programming History," Journal of Digital Forensics, Security and Law: Vol. 12 : No. 2 , Article 10. DOI: https://doi.org/10.15394/jdfsl.2017.1475 Available at: https://commons.erau.edu/jdfsl/vol12/iss2/10 This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of (c)ADFSL Scholarly Commons. For more information, please contact [email protected]. SQL Injection: The Longest Running Sequel in … JDFSL V12N2 SQL INJECTION: THE LONGEST RUNNING SEQUEL IN PROGRAMMING HISTORY Matthew Horner Norwich University Northfield, VT [email protected] Thomas Hyslip Norwich University Northfield, VT [email protected] ABSTRACT One of the risks to a company operating a public-facing website with a Structure Query Language (SQL) database is an attacker exploiting the SQL injection vulnerability. An attacker can cause an SQL database to perform actions that the developer did not intend like revealing, modifying, or deleting sensitive data. This can cause a loss of confidentiality, integrity, and availability of information in a company’s database, and it can lead to severe costs of up to $196,000 per successful injection attack (NTT Group, 2014). This paper discusses the history of the SQL injection vulnerability, focusing on: • How an attacker can exploit the SQL injection vulnerability • When the SQL injection attack first appeared • How the attack has changed over the years • Current techniques to defend adequately against the attack The SQL injection vulnerability has been known for over seventeen (17) years, and the countermeasures are relatively simple compared to countermeasures for other threats like malware and viruses. The focus on security-minded programming can help prevent a successful SQL injection attack and avoid loss of competitive edge, regulatory fines and loss of reputation among an organization’s customers. Keywords: SQL, SQL Injection, Cybercrime, Intrusion, Database INTRODUCTION The Internet brings humans closer together organizations take on many risks because of than ever before, and in order to take the increased attack surface, but there are advantage of the increased connectivity to ways to mitigate those risks to an acceptable customers, many organizations maintain a link level with administrative, physical, and to the Internet. However, with that link, technical controls. Ultimately, it is the business © 2017 ADFSL Page 97 JDFSL V12N2 SQL Injection: The Longest Running Sequel in … leader’s or authorizing officials’ responsibility behind the SQL injection attack is to take to decide whether the benefits outweigh the advantage of a poorly-coded website to potential negative effects of implementing a transmit commands directly to a database, technology, but information security gain access to that database, and then perform professionals can add more confidence behind the desired operation like copying, modifying, that decision by having a thorough or deleting data (McDonald, 2002). To conduct understanding of the threats and the attack, a malicious user types SQL coding vulnerabilities to information systems (NIST, language into data entry fields on websites. 2010). A sample injection attack from the One of the risks from a web server OWASP is shown below to briefly describe one connected to the Internet is an attacker case of how an attacker can manipulate SQL exploiting an SQL injection vulnerability on an coding. Colors are used to highlight where organization’s website. In fact, the Open Web discussed concepts appear in the coding Application Security Project (OWASP) language. In this example, a website consistently lists injection as the top website application uses typed data from an untrusted vulnerability while stating that it is external user to construct the following “EXTREMELY simple” to prevent (OWASP, vulnerable SQL request for information: 2013, 2016). A vulnerability that is simple to String query= "SELECT*FROM accounts fix yet continues to plague website designers WHERE custID='" + begs the question, “Why haven’t website request.getParameter("id") + "'"; programmers eliminated this vulnerability entirely?” A discussion of the history of the The attacker can modify the ‘id’ parameter SQL injection vulnerability may shed light on value in the browser field to send ' or '1'='1; how the vulnerability reached its current state this could be done by typing a website address and may offer clues as to why it refuses to go like: away. This paper discusses the history of SQL http://example.com/app/accountView?id=' or injection vulnerability, focusing on: '1'='1 • How an attacker can exploit the SQL In this case, the entry changes the meaning injection vulnerability of the query to return all the records from the • When the SQL injection attack first accounts table which can lead to unauthorized appeared disclosure of confidential or private information • How the attack has changed over the (OWASP, 2013). years Additionally, instead of performing the • Current techniques to defend injection process manually, attackers have adequately against the attack designed computer programs to complete the HOW AN ATTACKER process automatically. Examples of these CAN EXPLOIT THE programs include BSQL Hacker, SQLmap, SQLninja, and others (Shankdhar, 2015). To SQL INJECTION use these programs, the attacker inputs a VULNERABILITY website address; the program then searches for variations in the website address and returns In order to understand the history of the SQL the data associated with those different injection attack, it may help to understand addresses (Cox, 2015). If an organization stores how the attack works. In general, the principle Page 98 © 2017 ADFSL SQL Injection: The Longest Running Sequel in … JDFSL V12N2 a file of social security numbers in the same of commands in normal user inputs like “name” database as news articles, for example, these or “phone number” (rain.forest.puppy, 1998). tools could return the social security number The author of the issue with the pseudonym file even though that file was never meant to “rain.forest.puppy” is Jeff Forristal, a well- be available to the public. respected security expert (Forristal, 2016). These programs enable someone with a Even though it was first documented in very low skill level to conduct these attacks, so 1998, SQL injection did not appear to garner the number of possible threats is very high. much attention in the information security Essentially, anyone with a computer, an community until 2002. The reason for the Internet connection, and intent could conduct sudden interest in a four-year-old vulnerability an SQL injection attack and retrieve private or may have been due to the timing of national sensitive information (OWASP, 2016). events and the appearance of devastating Attackers could also insert, modify, and delete viruses and worms. For example, the US had data in an organization’s database using this recently been attacked by terrorists using vulnerability (OWASP, 2016). In some cases, hijacked planes on September 11, 2001. Shortly attackers can perform actions normally thereafter, the nation’s academics, military restricted to administrators like shutting down personnel, and politicians focused on increasing the database management system (OWASP, physical security and cybersecurity (Poeter, 2016). 2011). The new attention to cybersecurity may have prompted a critical examination of In addition to the relative simplicity of the vulnerabilities that could weaken the US attack, widespread SQL injection government or infrastructure, and SQL vulnerabilities and the perceived value of data injection may have been highlighted as a in SQL databases help make SQL injection particularly risky weakness to websites attacks common. According the 2016 NTT connected to database systems. Group Global Threat Intelligence Report, injection attacks composed about a quarter of In addition to the terrorist attack on the all attacks on website applications in 2015 U.S. homeland, several viruses and worms had (NTT Group, 2016). Additionally, per the spread across the Internet causing various NTT Group’s 2014 report, each successful SQL amounts of damage prior to 2002. injection attack can cost organizations up to • In March 1999, the Melissa macro virus $196,000 (NTT Group, 2014). infected PCs with Microsoft Word and WHEN THE SQL Outlook, and it was estimated to cost INJECTION ATTACK millions of dollars in lost productivity (Lewis, 1999). FIRST APPEARED • The ILoveYou virus followed in May The SQL injection vulnerability has been 2000, showcasing the power of social known for seventeen (17) years, but it engineering by infecting about 45 continues to plague security professionals to million Windows PCs using an enticing this day. The vulnerability was first attachment (Ward, 2010). • documented by “rain.forest.puppy” in the The Anna Kournikova virus began December 1998 issue of Phrack magazine spreading across computers

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    13 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us