CAPEC-66 - SQL Injection

This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended.

SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation
  • Sec Principles 3
  • Reluctance to Trust
  • Failing Securely
  • Defense in Depth
  • Scopes 4
  • Modify application data
  • Integrity
  • Read application data
  • Confidentiality
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: It is fairly simple for someone with basic SQL knowledge to perform SQL injection, in general. In certain instances, however, specific knowledge of the database employed may be required.

SQL queries used by the application to store, retrieve or modify data.

User-controllable input that is not properly validated by the application as part of SQL queries.

None

The attacker tries to inject characters that can cause a SQL error, such as single-quote (') or keywords such as "UNION" and "OR". If the injection of such characters into the input causes a SQL error and the resulting error is displayed unfiltered, the attacker can begin to determine the nature of input validation and structure of SQL queries. A typical error resulting from such injection would look like:

With available design documentation and code, the attacker can determine whether all user-controllable inputs are being validated or not, and also the structure of SQL queries that such inputs feed into.

Never Use Input as Part of a Directive to any Internal Component

Handle All Errors Safely

Step 1 - Survey application

The attacker first takes an inventory of the functionality exposed by the application..

Tecnique ID: 1 - Environment(s) env-Web

Spider web sites for all available links

Tecnique ID: 2 - Environment(s) env-ClientServer env-Peer2Peer env-CommProtocol

Sniff network communications with application using a utility such as WireShark.

Outcome ID: 1

Type: Success

At least one data input to application identified.

Outcome ID: 2

Type: Failure

No inputs to application identified. Note that just because no inputs are identified does not mean that the application will not accept any.



Step 1 - Determine user-controllable input susceptible to injection

Determine the user-controllable input susceptible to injection. For each user-controllable input that the attacker suspects is vulnerable to SQL injection, attempt to inject characters that have special meaning in SQL (such as a single quote character, a double quote character, two hyphens, a parenthesis, etc.). The goal is to create a SQL query with an invalid syntax..

Tecnique ID: 1 - Environment(s) env-Web

Use web browser to inject input through text fields or through HTTP GET parameters.

Tecnique ID: 2 - Environment(s) env-Web

Use a web application debugging tool such as Tamper Data, TamperIE, WebScarab,etc. to modify HTTP POST parameters, hidden fields, non-freeform fields, etc.

Tecnique ID: 3 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Use network-level packet injection tools such as netcat to inject input

Tecnique ID: 4 - Environment(s) env-ClientServer env-Peer2Peer env-CommProtocol

Use modified client (modified by reverse engineering) to inject input.

Indicator ID: 1 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Negative

Attacker receives normal response from server.

Indicator ID: 2 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Positive

Attacker receives an error message from server indicating that there was a problem with the SQL query.

Indicator ID: 3 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Negative

Server sends a specific error message that indicates programmatic parsing of the input data (e.g. NumberFormatException)


Security Control ID: 1

Type: Detective

Search for and alert on unexpected SQL keywords in application logs (e.g. SELECT, DROP, etc.).

Security Control ID: 2

Type: Preventative

Input validation of user-controlled data before including it in a SQL query

Security Control ID: 3

Type: Preventative

Use parameterized queries (e.g. PreparedStatement in Java, and Command.Parameters.Add() to set query parameters in .NET)


Outcome ID: 1

Type: Success

At least one user-controllable input susceptible to injection found.

Outcome ID: 2

Type: Failure

No user-controllable input susceptible to injection found.


Step 2 - Experiment and try to exploit SQL Injection vulnerability

After determining that a given input is vulnerable to SQL Injection, hypothesize what the underlying query looks like. Iteratively try to add logic to the query to extract information from the database, or to modify or delete information in the database..

Tecnique ID: 1 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Use public resources such as "SQL Injection Cheat Sheet" at http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/, and try different approaches for adding logic to SQL queries.

Tecnique ID: 2 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Add logic to query, and use detailed error messages from the server to debug the query. For example, if adding a single quote to a query causes an error message, try : "' OR 1=1; --", or something else that would syntactically complete a hypothesized query. Iteratively refine the query.

Tecnique ID: 3 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Use "Blind SQL Injection" techniques to extract information about the database schema.

Tecnique ID: 4 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

If a denial of service attack is the goal, try stacking queries. This does not work on all platforms (most notably, it does not work on Oracle or MySQL). Examples of inputs to try include: "'; DROP TABLE SYSOBJECTS; --" and "'); DROP TABLE SYSOBJECTS; --". These particular queries will likely not work because the SYSOBJECTS table is generally protected.

Indicator ID: 1 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Positive

Success outcome in previous step.

Indicator ID: 2 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Type: Negative

Failure outcome in previous step.


Outcome ID: 1

Type: Success

Attacker achieves goal of unauthorized system access, denial of service, etc.

Outcome ID: 2

Type: Failure

Attacker unable to exploit SQL Injection vulnerability.



Special characters in user-controllable input must be escaped before use by the application.

Only use parameterized stored procedures to query the database.

Input data must be revalidated in the parameterized stored procedures.

Custom error pages must be used to handle exceptions such that they do not reveal any information about the architecture of the application or the database.

Strong input validation - All user-controllable input must be validated and filtered for illegal characters as well as SQL content. Keywords such as UNION, SELECT or INSERT must be filtered in addition to characters such as a single-quote(') or SQL-comments (--) based on the context in which they appear.

Use of parameterized queries or stored procedures - Parameterization causes the input to be restricted to certain domains, such as strings or integers, and any input outside such domains is considered invalid and the query fails. Note that SQL Injection is possible even in the presence of stored procedures if the eventual query is constructed dynamically.

Use of custom error pages - Attackers can glean information about the nature of queries from descriptive error messages. Input validation must be coupled with customized error pages that inform about an error without disclosing information about the database or application.