15 - SQL Injection Flashcards
What is SQL Injection?
A technique used to take advantage of un-sanitized input to pass SQL commands through a web app for execution by a backend database. It is used to either gain unauthorized access or retrieve info directly from a DB.
What kind of attacks can SQL injection be used to implement?
- Authentication Bypass: An attacker logs into app without providing valid creds and gains admin privileges
- Information Disclosure: An attacker obtains sensitive info that is stored in the database.
- Compromised Data Integrity: Attacker uses this attack to deface/insert data on a web page or alter contents of a database.
- Compromised Availability of Data: Attackers use this to delete the database info or logs or audit info in a database.
- Remote Code Execution: It assists an attacker to compromise the host OS.
What type of databases are susceptible to SQL-Injection attacks?
Relational databases.
What is an HTTP Post request?
The POST request carries the requested data as a part of the message body. The string that is submitted to the web server is visible in the body of the HTTP or HTTPS POST request.
What is a SQL query?
A SQL command that is constructed to interact with a backend SQL database.
How does a SQL injection query exploit the normal execution of SQL?
The attacker is able to exploit the application’s inability to filter the request.
What are the main types of SQL Injection?
- In-Band SQL Injection: Where an attacker uses the same communication channel to perform the attack and retrieve the results.
- Blind/Inferential SQL Injection: When there aren’t SQL error messages to work with, an attacker just sends queries and use boolean results to determine structure of DB and data. One step further, when data is not returned through the app, an attacker just sends queries “blindly”
- Out-of-Band SQL Injection: When an attacker uses different communication channels to perform attack and obtain the result
What are the types of In-Band SQL Injection?
- Error-Based SQL Injection: Attackers intentionally throw bad data into the app in order to receive database errors.
- System Stored Procedure: DB’s stored procedures are exploited.
- Illegal/Logically Incorrect Query: Attackers throw bad queries into database in order to receive database errors.
- Union SQL Injection: Attackers use a UNION clause in order to join a forged query to original query.
- Tautology: Attackers always inject statements that are true so they always return results upon evaluation of a WHERE condition. (‘1’=’1’)
- End of Line Comment: After injecting code into a particular field, legit code is nullified by end of line comments. (“–”)
- Inline Comment: Attackers integrate multiple vulnerable inputs into a single query using inline comments.
- Piggybacked Query: Attackers inject additional malicious query to the original query.
What is a Time-based SQL injection?
A way for attackers to check if a True/False statement is True. This way gets around the Generic error message response so attackers can extract data.
What is Boolean Exploitation?
Where an attacker sends multiple True/False statements (one that they know is true or false) and compare the results to determine if there expression was True or False.
What is a Heavy Query?
A query that retrieves a huge amount of data and in turn, will take a lot of time to execute by using multiple joins. This type of attack is a type of Time-based attack?
What are the steps of the SQL Injection Methodology?
- Information Gathering and SQL Injection Vulnerability Detection
- Launch SQL Injection Attacks
- Advanced SQL Injection
What type of steps are taken in the SQL Injection Info Gathering stage?
Check if web app connects to a DB server, list all input fields, hidden fields, and post requests. Attempt to inject codes to generate errors and evaluate the data in the error messages. Use a string in a number field and vice versa, use a UNION operator to combine the result-set of tow or more SELECT statements.
What are the steps of the SQL Injection Methodology?
- Information Gathering and SQL Injection Vulnerability Detection
- Launch SQL Injection Attacks
- Advanced SQL Injection
What type of steps are taken in the SQL Injection Info Gathering stage?
Check if web app connects to a DB server, list all input fields, hidden fields, and post requests. Attempt to inject codes to generate errors and evaluate the data in the error messages. Use a string in a number field and vice versa, use a UNION operator to combine the result-set of tow or more SELECT statements.
What type of information is extracted through error messages?
It gives you OS, DB system, DB type and version, privilege version, OS interaction level, etc.
What are some ways to generate some errors?
- Parameter tampering
- Injections
- Grouping Error
- Try to insert string into numeric fields
- Blind Injection
- Determine DB Engine Type
- Determining a SELECT Query Structure
What are some methods to detect SQL injection?
- Function Testing: where a software or system is tested against a set of inputs according to the end user’s need. Requires no knowledge of the inner design of the code or logic.
- Fuzzing Testing: Inputting large amounts of random data and observing the changes in the output.
- Static/Dynamic Testing: Analysis of web app code.
What is Black Box Testing?
Where the attacker does not need to have any knowledge about the network or the system to be tested.
What are the steps involved in Black Box pen testing?
- Detecting SQL Injection Issues: Send single or double quotes to detect if input is not sanitized.
- Detecting Input Sanitization: Use right square bracket “]” to catch where user input is used as part of an SQL identifier.
- Detecting Truncation Issues: Send long strings of data to detect buffer overruns
- Detecting SQL Modification: send long strings of right square brackets, double quotes, or single quotes
What are the types of Source Code analysis?
- Static Code Analysis: Analyzing source code without executing
- Dynamic Code Analysis: Code analysis at runtime.
What are the steps for performing union SQL Injection?
Extract database name, extract database table, extract Table column names, extract 1st field data.
What is a Second-Order SQL Injection?
Where the attacker inputs a SQL query into a backend database via an HTTP request and it is stored as data. Another request is submitted where the first request data is executed as a query from within.
How can a firewall be bypassed with SQL injection?
- Normalization Method: Attacker changes structure of SQL query to perform attack.
- HPP and HPF Techniques: HTTP Parameter Pollution (HPP) and HTTP Parameter Fragmentation (HPF) are used to inject delimiting characters in query strings.
- Blind SQL Injection: Technique used to replace WAF signatures with their synonyms by using SQL functions.
- Signature Bypass: Attackers transform the signature of SQL queries to bypass the firewalls.