Computer and Network Security
COMPUTER AND NETWORK SECURITY 18
Computerand Network Security
Computerand Network Security
Withadvances in technology, there is increased need to secure computersin a network as well as websites from possible hackers. Variousapproaches are used to secure databases from malicious attacksdepending on the type of file management in use. Structured QueryLanguage based databases are more prone to malicious payload sincethey can be easily passed by attackers. Such file managementapproaches give a hacker unauthorized access to crucial informationincluding intellectual property, customer data, and business secrets.In this regard, it is important to understand how SQL injectionfunctions, the different categories of injection, and variousinterventions that can be used to safeguard computers and networksfrom malicious attacks. Accordingly, the essay discussesSQL injections in close references to their working principals andmeasures that can be used to safeguard websites from such attacks.
Historyof the SQL Injection
Morethan 15 years ago, when the SQL Injection was first introduced topublic limelight, software experts termed it as one of the biggestthreats in the current information age. It was first used by a youngcomputer hacker who manipulated the personal details of more than150, 000 bank customers. The vulnerability that he applied in theprocedure was discovered three years before he was even born (Bayuk,2013). He used the SQL Injection (SQLi) method of attack by typicallyentering software that was regarded as malicious into a website sothat it could release juicy information automatically. Since then,the SQL Injection has been used by hackers to steal the personaldetails of members of staff of the World Health Organization,manipulate data in Wall Street Journal, and hit other critical sites,such as those of the United States federal agencies (Halfond, Viegas,& Orso, 2015). According to the sentiments of one of the hackers,“the SQL Injection is one of the easiest ways of hacking a websitesince the attack takes just a few hours” (Halfond, Viegas, &Orso, 2015). In the same fashion, its simplicity also makes itvulnerable because designing a protection mechanism is not ascomplicated as other forms of attacks. It`shigh effectiveness in siphoning corporate and government data makesit very easy to defend against (Halfond, Viegas, & Orso, 2015).Based on this argument Bayuk (2013) wonders why it is still regardedas one of the biggest breaches in the current century.
TheSQL Injection was first documented by an Information Technologyprofessor called Forristal Jeff in Zine Phrack hacker Centre(Halfond, Viegas, & Orso, 2015). During that time, he wasconducting a project at the Rain Forest, but he is currently the headof mobile security at the notable Blue box security (Halfond, Viegas,& Orso, 2015).
TheNature of SQL Injection
SQLis a techniquethat a hacker uses to exploit a web application by gainingunauthorized retrieving of information or access to a target database(Halfond, Viegas, & Orso, 2015). He or she does not need anydatabase authentication because of the ability toexploitthe SQL injection from a remote location, thereby stealing sensitiveinformation by just passing a string of malicious input to the targetapplication.
Fig1. Architectureof SQL injection.Source (Bayuk, 2013).
TheSQL Injection or (Structured Query Language) is defined as aprogramming language that is used to oversee the management ofdatabases. Essentially, it is used when a piece of information isrecalled by a certain database, either to present it to the user orfor processing purposes (BestPractices to Protect System from SQL Injection Attacks,2017). On the other hand, Forristal discovered that issuing certaincommands through typing would compel a server to show all theinformation that is hidden from it since it was possible for peopleto revert commands of SQL in nature. It is why Forristalwrote in a local magazine issue that there are various versions ofthe Microsoft SQL database. When his partner sought to notifyMicrosoft Company of the issue, they did not believe him andconsidered his proposals very lightly. Their response was that theyshould not try to stop it since it did not bear any negative effects.Over 15 years after its publication, the SQL Injection is regarded asthe most harmful vulnerability according to the OWSP (Open WebApplication Security Project) Top 10 report, which is released every4 years (Halfond, Viegas, & Orso, 2015). It is a non-profitorganization whose mandate is to monitor some of the threats facedwith websites. Going by the high level of incidences out there, theSQL Injection is a major risk to cyberspace security. When anindividual visits a homepage to make a certain request, it parsessome portion of the data (in the request) to the server that sent it(Halfond, Viegas, & Orso, 2015). For instance, when a personreads a news article, and the address bar that carries the newsarticle is “id=” so that it gives the news article number 1,followed by another one that contains the ID 2 (Halfond, Viegas, &Orso, 2015). In contrast, using an SQL Injection attack ensures thatthe hacker does change the ID contained in the address bar so that itsends commands to the server and compels it to take actions that itdid not plan to, for instance, returning back some private data (BestPractices to Protect System from SQL Injection Attacks,2017).
HowHackers Use SQL Injection
Thereis a high likelihood that a single attack could just be able toreturn a single piece of personal data, and this is why an interestedattacker is forced to make more than one commands. They are requiredto undertake the necessary number of times that correspond with theirtarget if they are to get as manypieces of information from the target database as possible.Logically, the act is time-consumingand this is why hackers came up with a tool that automates the entirerepetition process instead. Some of them are Havij, majorly used byscript experts since it has a graphical interface and applied inWindows only (Halfond, Viegas, & Orso, 2015). The other one isthe Sqlmap, and it peruses t the web pages in the same manner as thesearch engine. As such, it investigates the presence of input formscontained in the website and then submits them in forms that mightcause a syntax error called My SQL (Halfond, Viegas, & Orso,2015). When the attacker is interested ina target to manipulate, it makes the process of automation simpler.
Thereis a high probability that the hackers would make great use of Googleto look for URLs that have a history of association with the scriptsthat show some vulnerability in the presence of a SQL Injection. Theywould practically develop a script that is compatible with all theURLs and later teststhem with automated means to check whether they are vulnerable. Theentire process (using a Havij to conduct a SQL Injection) is veryeasy such that an amateur could manage it without much trouble(Halfond, Viegas, & Orso, 2015).
Theunderlying notion is that solutions to be used by website owners inthe quest to prevent the SQL Injection attacks are present. Thesolutions have been around, and it is up to corporate entities toundertake measures that will stop the unnecessary leakage of the dataand personal information of customers, including other corporatedetails. Prepared statements have many benefits, one of them beingthe fact that they set the semantics of a certain query such that anydata that is sent by the developer. It includes a syntax error thatchanges the nature of a query whose intention is to retrieve a singlerow into one that extracts data from all the tables (Halfond, Viegas,& Orso, 2015). Another option is to apply a SQL library thatsanitizes the input on their behalf (Halfond, Viegas, & Orso,2015). In short, it scrubs any data that the user entered to reduceany potential parts that were regarded as malicious. As such, if SQLis so easy to the extent that an amateur could perform it,stakeholders wonder why there cannot be a lifelong solution to dealwith it altogether.
Popularityof SQL Injection Attacks
Peoplealways wonder why there are still many SQL Injection attacks in spiteof the many solutions that are present to combat the problem. It iswidely expected that any competent computer programmer should havesufficient knowledge about SQL Injection, but the currentcontemporary world is short of such professionals. It makescompanies hireany individual despite the fact that they lack the right experienceor training to complete the mitigation of basic vulnerabilities. Inaddition, their supervisors always pressurize them to come up with afunctional software as opposed to a secure software. Reveron (2014)from Yahoo echoed this argument by stating that small applicationsthat have a narrow feature set require a rapid writing process thatcould make the developers bypasssome of the mitigation elements that are attached to each attack inspite of showing a relatively straightforwardimplementation process.
Oneparticular software developer was less forgiving since he did notagree with it because of the related pressure from the top management(Halfond, Viegas, & Orso, 2015). Instead, he expressed hisopinion concerning the high number of tutorials that are availedonline to web developers. Accordingly, instead of providing arational advice, such as providing details on how to come up withsystems that are vulnerable to SQL Injection, they construct onesthat have a high risk of the SQL Injection attacks. As such, thenscript experts continue to share their SQL Injection tutorials invarious sites, such as YouTube,there is parallel information sharing on other websites, and oneshould not forget that though information about SQL Injection couldbe everywhere, not all of it is valid (Reveron, 2014). As such, theultimate security of these sites, including the data contained inthem narrows down to the software engineers and web developersthemselves. It insinuates that the SQL Injection and the associatedbreaches that are caused by it will remain for a little while longer(Bayuk, 2013).
Categoriesof SQL Injections
SQLinjections makeuse of codes to hack data based applications by inserting maliciousStructured Query Language into various entry sites for purposes ofexecution. The effectiveness of SQL injections depends on its degreeof accuracy in exploiting securityvulnerability of a file management application (Halfond, Viegas, &Orso, 2015). SQL injections conveyvarious commands through an Internet-basedapplication for implementation by the backend database. In thisperspective, internet based applications must be sanitized in thecorrect format with an objective of reducing the SQL injectionattacks. In most cases, the different types of this code basedhacking approach are not executed in isolation but rather in asequential manner depending on the goal of the hacker.
Theprimary intent of tautologies is to recognize injectable factors,bypassing authentication, and ultimately extracting information(Singer& Friedman, 2014).This type of attack injects code to various provisional statementswith an objective of ensuring that in all cases they are evaluated astrue. According to Halfond, Viegas, & Orso (2015), in this typeof malicious attack, a hacker identifies an injectable parameter thatis applied tothe conditional statement to return all the information contained inthe targeted database. In this light, for tautology centered attackto achieve the intended objectives, the hacker must consider codingconstructs as well as the vulnerable elements that assess the queryoutcomes.
Thistype of SQL injection attack aims at extracting information andexecuting file management applications fingerprintingprocesses. To successfully conduct this type of attack, the hackermust gather important data regarding the structure and the type ofback end database of the targeted system. Halfond, Viegas, & Orso(2015) consider logical incorrect queriesasa preliminary attack that aims at gathering data for subsequentmalicious activities. This type of attack maximizes on the defaulterror page that is designed to aid the programmers to debug asoftware. When the page is returned by the application servers, theattackers are in a position to gather information regarding theschemeof the back-end file management system. The objective of the hackerwhen executing this type of task is to inject statements that leadto logical error, type conversation, or syntax into the datamanagement application. According to Halfond, Viegas, & Orso(2015), syntax errors are applied when identifying parameters thatcan be injected while type errors generate information from targetedcolumns. In most cases, logical errors depictthe names of the columns and tables that resulted in the slip.
Thistype of attack has the primary intention of bypassing authenticationwith an objective of extracting data. In this type of SQL injection,the attacker optimizeson a vulnerable element and uses it to adjust the informationreturned for a specific query. Halfond, Viegas, & Orso (2015)ascertain that the hacker tricks the vulnerable parameter to ensurethat the application returns information from a table different fromthe one that was designed by the programmer (Singer& Friedman, 2014).In this regard, the attacker gain complete control of the injectedquery and ultimatelyuses it to extract data from a targeted table or column (Halfond,Viegas, & Orso, 2015). An instance of this attack is when ahacker first useslogically incorrect query attack to gather information regarding atable’s structure then apply the query union to extract data fromthe columns or rows of the table.
StoredProcedures SQL Injection Attacks
Theintent of this attack falls into three primary categories namelyexecuting disk operating system activities, engaging in privilegeescalation, and performing remote commands. The attacker aims atapplying already stored procedures in the database with an intent ofextending the functionality of the file management system andcreating room for interaction with the operating system (Halfond,Viegas, & Orso, 2015). In this light, the hacker is betterpositioned to understand which type of backend file management systemis in use and thus, execute malicious activities based on evidence.Identifying the specific type of backend in application aids theattacker to craft SQL injection attacks consistent with the specificdatabase in use. Moreover, since recorded procedures are in mostcases encoded in unique scripting languages, it is possible for themto contain other types of vulnerabilities including buffer overflows,which permit hackers to operationalize arbitrary code on the server(Halfond, Viegas, & Orso, 2015).
PracticalExample of a SQL Injection
Aparticular customer contracted an Information Technology consultancyfirm to investigate its intranet site, which was used by thecustomers and employees associated with the firm (Halfond, Viegas, &Orso, 2015). The procedure was a critical part of the routinesecurity review and it was the first time the company was using SQLInjection to penetrate through their network. The whole initiativewas a success and the idea was to recount the steps that were takenas a way of illustrating. This is because an SQL Injection featuresas a subset on an un-sanitized/unveiled the vulnerabilities that arelinked to user input. If the application is naively creating stringson the fly before running them, it becomes imperative to come up withsome real surprises (BestPractices to Protect System from SQL Injection Attacks,2017).
Fig1. Typicalexample of SQL injection. Source (Halfond, Viegas, & Orso, 2015).
Theprofessionals who conducted the procedure concurred with the factthat it was a winding road that possessed multiple turns.The more experienced IT wizards will most likely develop better anddifferent approaches. What is more, the fact that it was a successwas enough evidence that the team was not entirely misguided. Thefollowing section is committed to a discussion of the ISQ Injectionprocedure and the rationale for the process of exploitation anddiscovery.
Thetarget intranet first appeared like a custom application such thatthe team did not have any prior knowledge (concerning theapplication) including how to access its source code. Consequently,it was classified as a “blind” attack (BestPractices to Protect System from SQL Injection Attacks,2017). Further poking revealed that the server ran Microsoft’sMicrosoft`s IIS 6 and ASP.NET at the same time, suggesting that thedatabase was the server of Microsoft’s SQL. It is because of thebelief that such techniques can only berunby any web application that is supported by an SQL server of any form(Bayuk, 2013). A look at the log in page revealed the classicalformat of personal credentials, such as username and password,including a link for the email-me-my-password. In contrast, thelatter did not surprise the team when it caused the downfall of theentire system. It is because when the email address was entered, thesystem expectedly searched for it in the database so that it couldsend an email to it (Singer& Friedman, 2014).Since it was not found, there was no inbox sent from the server.Consequently, the first test that is conducted in any form related toSQL, it is critical to enter one quote as part of the dataset withthe intention of figuring out whether there is the construction of anSQL string without having to sanitize (Reveron, 2014). In the stageof submitting the form that has the quote in the email address, thereis the likelihood of the 500 error to insinuate the situation ofserver failure. It is a suggestion that the broken input is literallybeing passed (Halfond, Viegas, & Orso, 2015).
Accordingto the speculations of the team, the SQL code closely resembles thefollowing:
In the diagram, the email address that the user submitted isrepresented by &EMAIL and the larger query is the source of thequotation marks that established it as a literary string (BestPractices to Protect System from SQL Injection Attacks,2017).The exact identities of the involved tables or the fields arenot known, except for their nature (Bayuk, 2013). Upon entering theemail address [email protected]`as the quotation mark for closing, the yield constructs a SQL asillustrated below (Halfond,Viegas, & Orso, 2015).
DESTINATIONfield= `[email protected]“
Uponexecution, the extra quote mark is located with the SQL parser, whichthen aborts it with a syntax error (Halfond, Viegas, & Orso,2015). The manner in which it manifests to the user is dependent onthe internal error-recovery procedures of the application, but thecase is always different when there is no known email address (Bayuk,2013). The response of the error is a dead giveaway that suggests theuser input is not experiencing a sufficient sanitization, as well asthe fact that the application is ready to be exploited (Reveron,2014). Since the data to be filled is in the WHERE clause, it becomesimperative to change the clause’s nature in the legal way of an nSQL and observe what ensues next.
Asa result of the fact that the application is merely constructing astring and not practically thinking about the query, the use ofquotes has transformed the component, the WHERE clause into a singlecomponent. As such, the X=X clause is deemed to hold no matter thenature of the fist clause (Halfond, Viegas, & Orso, 2015). Asopposed to the real query, which is obliged to return a single itemwith each frequency, this version is designed in such a way that itreturns items in the database of the members. Consequently, trying itout is the only way of determining the capacities of the application.When it was performed, the outcome was the message “Your logininformation has been emailedto [email protected]” (Reveron,2014).
Thebest guess that the team made was that it is the first record that isreturned by the query because an entry was effectively takenrandomly. It means that the person was able to get the password-linkthat he forgot through the email, and it probably emanated as asurprise, translating into a warning flag in another location. Thoughthe team is able to manipulate their query totheir own ends, they still are in the dark when it comes to itsinvisible parts. All in all, there has been three different responsestothe various inputs, including the fact that the logincredentials hasbeen emailedto the inbox, the email address is not recognized, and lastly, thereis a server error (Halfond, Viegas, & Orso, 2015).
ProtectingComputers and Networks from SQL Injections
Variousapproaches can be used to mitigate the risks resulting from SQLinjections attacks. The effectiveness of the adopted approach dependson the nature of the attack as well as the vulnerability of thedatabase. The most common remedies of this type of attacks can eitherwork independently or can be integrated depending on the type ofattack ("Best Practices to Protect System from SQL InjectionAttacks", 2017). Nevertheless, all the preventive measures relyon accurate sanitization and validation by the programmer.
Applicationof Prepared Statements
Thisprotective approach serves to ensure that the developer of a filemanagement system or any other web based platform correctly sets allSQL codes and then passes all elements to the query. In this regard,the programmer is a position to use a coding approach that separatesthe data sets and the codes. SQL injection attack countermeasureensures that a hacker cannot alter the primary objective of a queryin the case of all applicable commands ("Best Practices toProtect System from SQL Injection Attacks", 2017). Based onthis, a programmer should design a secure coding procedure withminimal vulnerability to SQL injection attacks.
Attackersutilize the vulnerability of file management system and otherapplication systems to execute malicious activities. In this light,implementing a patch management system in place of manual filemanagement patches will go a long way in minimizing the risks of SQLattacks. Approaches such as hapless management free of vendornotifications can be adopted in an attempt of eradicating securitypatches ("Best Practices to Protect System from SQL InjectionAttacks", 2017).
Fig3. DatabasePatching. Source("Best Practices to Protect System from SQL Injection Attacks",2017).
Mostorganizations have local networks through, which they share files ina safe and easier manner. Theattackeroften targetsthese networks to gain access to the databases. Through constantnetwork monitoring, system administrators can be in a position toidentify probable SQL injection attacks and thus, devicemeasures geared to mitigate the malicious activities. With networkmonitoring, the admin of a local network is able to filter trafficand restricts illegal access to the file management system ("BestPractices to Protect System from SQL Injection Attacks", 2017).In addition to monitoring the network, enhanced authenticationprovides sufficient control and backupto the database and thus, guarantying optimum security of the system.With high authentication application, organizations can restrictaccess to the file management system and integrate database loggingand audit aptitudes. Approaches such as encrypting passwords and datacan suffice in ensuring that interruptions from third parties areaverted.
Inconclusion, with advances in technology, instances of network anddatabase hacking are on the rise. SQL injections arethe most common approaches used by attackers with objectives such asbypassing encryption and extracting data. They are myriadcategoriesof SQL injection that an attacker can use and the effectiveness ofthe selected intervention depends on the intent of the attack and thevulnerability of the parameters of a system or a file managementsystem. Owing to the risk posed by SQL injection attacks, there isneed to safeguard computers and networks from potential hackers. Thisis achieved through various strategies including the applicationof preparedstatements,database patching, and network monitoring.
Thispaper has fulfilled its overall goal of exploring the form and natureof SQL Injections while closely focusing on their working principalsand measures that can be used to safeguard databases and websitesfrom latent attacks. As such, the analysis identified thatadvancements in the field of Information Technology have necessitatedthe need to revolvewith the changes in computer applications and functions because ofthe rise of subsequent and new threats. In other words, malicioussoftware hastaken new shape and hackers are taking advantage of the ease of theirfunctionality to launch attacks into various databases, manipulateinformation, and steal personal details of individuals and corporateentities. The main focus of this analysis paper was on thefunctionality and nature of SQL Injection, defined as a programminglanguage that is used to supervise the management of databases.Basically, it becomes useful when a piece of information is recalledby a certain software according to a report by OWSP, it is the mostharmful form of vulnerability in the list of the top 10 mostdestructive software that is used by hackers. One of the factorsthat informits choice is its less complicated quality that makes ituser-friendly.When introduced to a certain database, it manipulates the normalfunctioning of the site so that it (the database) gives back storeddata through the same stream. Currently, hackers are using graphicalinterfaces, such as Havij, to automate the process so that the dataare released in tables as opposed to individual units, which istime-consuming.
Bayuk,J. L. (2013). Cybersecurity policy guidebook.Hoboken, N.J: Wiley.
BestPractices to Protect System from SQL Injection Attacks.(2017). SSLCertificates by ClickSSL – Cheap Price, Best Quality & Support.Retrieved 2 April 2017, fromhttps://www.clickssl.net/blog/best-practices-to-protect-system-from-sql-injection-attacks
Reveron,D. S. (2014). Cyberspaceand national security: Threats, opportunities, and power in a virtualworld.Washington, DC: Georgetown University Press.
Singer,P. W., & Friedman, A. (2014). Cybersecurityand cyberwar: What everyone needs to know.
Halfond,W. G., Viegas, J., & Orso, A. (2015). A classification ofSQL-injection attacks and countermeasures. In Proceedingsof the IEEE International Symposium on Secure SoftwareEngineering (Vol.1, pp. 13-15). IEEE.Topof Form
No related posts.