Skip to main content

SQL injection: Basics - Tip for Developers Part 1/


 

In many forums, and articles available on the internet you always find some articles about what called "dorks" which is a method used by attackers to identify the sql injection possibility on your sql app.

Tip for Developers , after the setup of the Anti-DDOS procedures you should secure your code by some basics stuff if you see that something can be possible from the given example.

Often using sql operate to a database system:
Back-up procedures and the use of secure hardware are as important as comprehensive protection measures against external access, "So-called SQL injections", on the other hand, represent a great danger especially for classic relational database models and the information implemented there.

What is an SQL injection?
The term SQL injection refers to the exploitation of a security flaw in relational database systems that refer to the SQL language.
The attacker uses data entered by the user on the database interface which is not sufficiently masked and which contains meta characters.
These signs occupy specific functions for the SQL interpreter and allow to influence externally executed commands.
Often, SQL injection occurs with PHP and ASP programs that rely on older interfaces.The data then does not always have the necessary masks and is therefore a perfect target for an attack.

By targeted use of function characters, an unauthorized user can infiltrate SQL commands and manipulate input in such a way as to change, delete or read data.In the most serious cases, it is possible that the attacker succeeds in this way to access to the instruction lines of the command execution systems and thus to the entire database server.

Example of the Access through insufficiently masked user input :

In order to access a database, a user must first authenticate as everyone knows , some scripts that are available on the internet, for example, a login form with username and password.
The user fills out the form and the script checks if a matching entry exists in the database.
Typically, databases are presented in the form of a table with the columns "user" as well as "username" and "password".
To import the web application, the script lines (NickName Code) for accessing the web server can be as follows :

uname = request.POST['username'] passwd = request.POST['password']  sql = "SELECT id FROM users WHERE username='" + uname + "' AND password='" + passwd + "'"  database.execute(sql)

An attacker now has the possibility to manipulate the field relating to the password that's an example of an SQL injection, entering for example password' OR 1='1, which leads to the following SQL query:

sql = "SELECT id FROM users WHERE username='' AND password='password' OR 1='1'

By doing so, the attacker can access all the user tables of the database, the password still being valid (1='1').
If he logs in as an administrator, he can make all the changes edit/write/read.
Otherwise, the "username" field can also be manipulated in this way.

How to protect your databases from SQL injection?

You can implement measures to prevent an SQL injection attack on your database system.

It is necessary to focus on all the components involved, such as the server, on each of the applications but also on the database management systems.

Step 1: Supervise the automatic completion of applications

Test and filter the methods and parameters used by connected applications when entering into the database.
The data delivered should always agree with the expected data type.
If a numeric parameter is required, you can check it with a PHP script using the is_numeric() function. As far as filters are concerned, the corresponding special characters are ignored.
Another important step is to make sure that applications do not emit external error messages that indicate information about the system used or the structures of the database.

In the meantime, other practices have become widespread, such as the so-called Prepared Statements which can be used with many database management systems.
These statements were originally used to run frequent queries, but due to their structure, they also reduce the risk of SQL injection.
As parameterized statements transfer the actual SQL command of the parameters separately from the database.
Only the database management system itself connects the two and thus automatically hides important special characters.

Step 2: ensure complete server protection

The security of the server on which your database management system runs naturally plays a key role in preventing SQL injections.
Strengthen your operating system according to the established scheme:

Install or enable only applications and services that are relevant to running the database.
Delete all user accounts that are not needed.
Ensure that all relevant system updates and programs are installed.

The more your Web project requires significant security measures, the more you will have to consider the upstream use of intrusion detection systems (IDS) or intrusion prevention systems (IPS).
It works with different reconnaissance systems to identify attacks on the server in advance, issue warnings and in the case of "IPS" to automatically trigger the corresponding countermeasures.
An Application Layer Gateway (ALG) process can also be a sensible protective measure, monitoring data traffic between applications and the web browser directly at the application level.

Step 3: Strengthen databases / use secure codes

Just like your OS, SQL databases should be cleaned of unnecessary items and updated regularly.
you have to eliminate all stored procedures that you do not need and deactivate all unnecessary services and user accounts.
Install a specific account for your database, which will be provided simply to access it from the Web, and which will be provided with very restricted access rights.
Save all sensitive data in encrypted form, such as your passwords, in your database.
That was a simple basic demonstration of the scripts available on the internet such as SQLmap, or other illegal tools , as the SQLmap remain a forensic Tool for the PenTesters.

Disclaimer **** DO NOT TEST this example randomly , your log remain on the server's log , the owner / business owner can identify your request easily when it comes to security threats , this was for educational purpose only so developers can take it seriously while coding using the old SQL methods.
For PenTester depending on the area , they should get a certification or agremeent where the owner authorize the Pen Testing to the Tester otherwise it's an illegal action that can lead you to bad consequences and being charged as an attacker.

Thank you for your attention.

White Hat Alliance.

Source : Join us on Reddit : https://www.reddit.com/r/White_Hat_Alliance/comments/1273ukz/sql_injection_basics_tip_for_developers_13/

Comments

Post a Comment

Popular posts from this blog

Navigating the CCNA 2024 Update.

  Greetings fellow network enthusiasts and aspiring IT professionals! As the technology landscape continues to evolve, so does the CCNA certification, the industry-standard credential for networking professionals. With an anticipated update in late 2024, it's time to gear up and prepare for the changes that lie ahead. Understanding the Driving Forces: The CCNA 2024 update reflects the ever-changing nature of networking technologies and industry standards. Cisco, recognizing this dynamic environment, is incorporating key trends and advancements into the exam to ensure that certified professionals possess the skills and knowledge required for success in today's complex networking environments. Anticipated Exam Changes: While the official exam blueprint is yet to be released, Cisco has provided some insights into the anticipated changes. Here's a sneak peek into what you can expect: Cloud and Cybersecurity Focus: The updated exam will place a greater em
Post a Comment
Read more

Q/A Cryptocurrencies - is it Legal , or Not ?

The Law Article codes on this date vary from one country to another, in Morocco it is not legal to carry out transactions according to the following regulations of 2017. According to Wikipedia  :  On November 20, 2017, Morocco's foreign exchange office declares that transactions carried out via virtual currencies constitute a violation of foreign exchange regulations, subject to sanctions and fines. The Library of Congress (LOC) conducts periodic reviews of countries' stances on Bitcoin and cryptocurrencies,  In November 2021 identified 103 countries whose governments directed their financial regulatory agencies to develop regulations and priorities for financial institutions regarding cryptocurrencies and their use in AML & CFT. The L.O.C also identified many countries that allow cryptocurrencies to be used. Several other countries allow Bitcoin to be used in transactions and have developed forms of regulation. Some examples are: - USA - United Kingdom - Israel - Australia
Post a Comment
Read more