SQL Injection Attacks and Defense

 

1.What Is SQL Injection?

  Take a look at an example below first.

 

  If we have any code statements like below.

  ---------------------------------------------------------------

  String query = "SELECT * FROM table WHERE field = '" +

   request.getParameter("input") + "'";

  ---------------------------------------------------------------

  If the request URL like this

  ---------------------------------------------------------------

  http://localhost:8080/test.jsp?input= 1' or '1'='1

  ---------------------------------------------------------------

  The query by this SQL will always return all of the records in the table, but

  will not filter the records that do not match the conditions. 

  From this example, we can find that what the SQL injection is and how it occurs.

 

  This is a very simple example, in the real world, we can do much more things by SQL injection.

  For example, we can read password file of operating system or can execute any command by SQL injection.

 

2.How Can We Find SQL Injections?

  Before we do any protective measures, we have to try to find out that whether there are any vulnerabilities

  in our system.

  First, the easiest way is input some special character like single quote. If the system returns error message,

    the system must have some flaws.

  Second, if there is no error message, we can try it like this way.

    a. If we query by the SQL "select * from table where filed = 100" and can get 10 records.("100" is from client side)

    b. Then try input the value like this "select * from table where filed = 50 + 50"("50 + 50" is from client side)

       if we still can get 10 records, I would have to say "Congratulations!".

 

  If we have the source code, it will be much more easier to find a vulnerability.

  For example we can search the key word "createStatement".

 

  As long as you know how to add two numbers you can apply that knowledge to every scenario involving addition.

  SQL injection is the same.

  You need to understand the hows and whys and the rest will simply be a matter of practice.

 

3.Defenses

  To defend SQL injection is not very difficult, We have the measures below.

  Most of the time, the root causes of SQL injection is the creation of SQL queries as strings that are then sent to the database for execution.

    1). Using Parameterized Statements

        For example we can use preparedStatement in Java

    2). Validate the input from client

        Whitelist(Whitelist validation is the practice of only accepting input that is known to be good.)

        Balcklist(Blacklisting is the practice of only rejecting input that is known to be bad.

                  It means if the input contains any char in the blacklist)

    3). Encoding

        For example

        -------------------------------------------

        sql = sql.replaceAll("'",  "''");

        -------------------------------------------

    4). If we can use  abstraction layer such as Hibernate, it can reduce the risk of SQL injection

    For some legacy system, we may do something like below(No need to change the source code, but only add some layers).

    1). Add a filter

    2). Apply Aspect-Oriented Programming