SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database.
SQL injection attacks are simple in nature – an attacker passes string input to an application in hopes manipulating the SQL statement to his or her advantage. The complexity of the attack involves exploiting a SQL statement that may be unknown to the attacker. Open-source applications and commercial applications delivered with source code are more vulnerable since an attacker can find potentially vulnerable statements prior to an attack.
There are four main categories of SQL Injection attacks against Oracle databases –
- SQL manipulation involves modifying the SQL statement through set operations (e.g., UNION) or altering the WHERE clause to return a different result. Many documented SQL injection attacks are of this type. The most well known attack is to modify the WHERE clause of the user authentication statement so the WHERE clause always results in TRUE.
-
The classic SQL manipulation is during the login authentication. A simplistic web application may check user authentication by executing the following query and checking to see if any rows were returned
-
– SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword'
-
The attacker attempts to manipulate the SQL statement to execute as
-
– SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword' or 'a' = 'a'
-
Based on operator precedence, the WHERE clause is true for every row and the attacker has gained access to the application.
The set operator UNION is frequently used in SQL injection attacks. The goal is to manipulate a SQL statement into returning rows from another table. A web form may execute the following query to return a list of available products
–SELECT product_name FROM all_products WHERE product_name like '%Chairs%'
The attacker attempts to manipulate the SQL statement to execute as
– SELECT product_name FROM all_products WHERE product_name like '%Chairs' UNION SELECT username FROM dba_users WHERE username like '%'
The list returned to the web form will include all the selected products, but also all the database users in the application.
-
What’s Vulnerable
- A web application is vulnerable to SQL injection for only one reason – end user string input is not properly validated and is passed to a dynamic SQL statement. The string input is usually passed directly to the SQL statement. However, the user input may be stored in the database and later passed to a dynamic SQL statement. Because of the stateless nature of many web applications, it is common to write data to the database between web pages. This indirect type of attack is much more complex and requires in-depth knowledge of the application.
Oracle has generally faired well against SQL injection attacks as there is no multiple SQL statement support (SQL Server and PostgreSQL), no EXECUTE statement (SQL Server), and no INTO OUTFILE function (MySQL). Also, the use of bind variables in Oracle environments for performance reasons provides the most effective protection against SQL injection attacks.
Oracle may provide stronger and more inherent protections against SQL injection attacks than other databases, however, Oracle-based applications without proper defenses against these types of attacks can still be vulnerable.
0 comments:
Post a Comment