Part 3: Describe how an SQL injection attack works. Explain how such attacks can
ID: 3542597 • Letter: P
Question
Part 3: Describe how an SQL injection attack works. Explain how such attacks can be prevented.
Part 4: A suitcase has a combination lock with three wheels. Each wheel has ten digits, 0 through 9. How many different combinations are there? Assume that a thief can try one combination every second, and that the thief will get lucky after trying about half the combinations, how long will it take the thief to open the briefcase?
If each wheel of the briefcase lock has the 16 hexadecimal digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 A, B, C, D, E, F, how many different combinations are there? How long will it take our thief to open the lock?
Part 5: Suppose that a lock like the one described above has only two numbers, 0 and 1, on the wheels, and there are eight wheels. How many combinations are there? What happens if a ninth wheel is added? How many combinations, and how long to "crack?"
Explanation / Answer
Structured Query Language (SQL) is used to query, operate, and administer database systems such as Microsoft SQL Server, Oracle, or MySQL. The general use of SQL is consistent across all database systems that support it; however, there are intricacies that are particular to each system. Database systems are commonly used to provide backend functionality to many types of web applications. In support of web applications, user-supplied data is often used to dynamically build SQL statements that interact directly with a database. A SQL injection attack is an attack that is aimed at subverting the original intent of the application by submitting attacker-supplied SQL statements directly to the backend database. Depending on the web application, and how it processes the attacker-supplied data prior to building a SQL statement, a successful SQL injection attack can have far-reaching implications. The possible security ramifications range from authentication bypass to information disclosure to enabling the distribution of malicious code to application users. This white paper will describe SQL injection attacks, how they are performed, and precautions that should be taken inside applications or networks to reduce risks that are associated with SQL injection attacks. SQL Injection Explained A SQL injection attack involves the alteration of SQL statements that are used within a web application through the use of attacker-supplied data. Insufficient input validation and improper construction of SQL statements in web applications can expose them to SQL injection attacks. SQL injection is such a prevalent and potentially destructive attack that the Open Web Application Security Project (OWASP) lists it as the number one threat to web applications. Ramifications of Successful SQL Injection Attacks Although the effects of a successful SQL injection attack vary based on the targeted application and how that application processes user-supplied data, SQL injection can generally be used to perform the following types of attacks: Authentication Bypass: This attack allows an attacker to log on to an application, potentially with administrative privileges, without supplying a valid username and password. Information Disclosure: This attack allows an attacker to obtain, either directly or indirectly, sensitive information in a database. Compromised Data Integrity: This attack involves the alteration of the contents of a database. An attacker could use this attack to deface a web page or more likely to insert malicious content into otherwise innocuous web pages. This technique has been demonstrated via the attacks that are described in Mass exploits with SQL Injection at the SANS Internet Storm Center. Compromised Availability of Data: This attack allows an attacker to delete information with the intent to cause harm or delete log or audit information in a database. Remote Command Execution: Performing command execution through a database can allow an attacker to compromise the host operating system. These attacks often leverage an existing, predefined stored procedure for host operating system command execution. The most recognized variety of this attack uses the xp_cmdshell stored procedure that is common to Microsoft SQL Server installations or leverages the ability to create an external procedure call on Oracle databases. An Example of SQL Injection for Authentication Bypass One of the many possible uses for SQL injection involves bypassing an application login process. The following example illustrates the general operation of a SQL injection attack. The following HTML form solicits login information from an application user. Although this example uses an HTTP POST request, an attacker could also use HTML forms that use the HTTP GET method.