How to Prevent an SQL Injection Attacks and Remote Code Execution
Network security is one of the major thing we need to focus on. While working on a network, we need to ensure the security of the network to keep the valuable data secure and prevent the intrusion attacks to our private circles. In this article, we are going to discuss two common network attacks and their prevention measures. We are going to see the following attacks.
1) Remote code execution
2) SQL injection
Remote code execution
The process of executing a piece of code in the server remotely by an attacker is called the Remote code execution. The Remote code execution is otherwise called the Arbitrary Code Execution. The main reason behind this attack is poor and improper coding. This is done by attackers usually not to steal confidential data, but to let you know that they can attack you. Sometimes, it is difficult to discover this vulnerability during testing assignments, but such problems are revealed while doing a source code review. However, when testing web applications it is important to remember that exploitation of this vulnerability can lead to total system compromise with the same rights as the web server itself.
How to prevent the Remote Code Execution
Ensure that your code respects the bounds of your data buffers. In compilers, turn on range checking or similar run-time checks. The compiler will emit code to validate that an array index value is in range before accessing the memory location in the array. Don’t trust the user’s description of their data. Always assume that when you are being supplied with information, it will be corrupted. Strings will not be terminated. Arrays will not be sized appropriately and structures will be missing pieces. Packets will be over-sized or incomplete.
It is one of the most common attacks in the web industry. SQL injection is a code injection technique, used to attack data-driven applications. In this attacks, the attacker inserts SQL statements into an entry field in a form for execution. It will cause the loss of data and confidential data will be lost. It is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application.
SQL Injection Based on 1=1 is Always True
This is one of the common method of SQL Injection. Let’s see an example. Let’s say that the original purpose of the code was to create an SQL statement to select a user with a given user id. In the attack, the user inputs like this:
Userid 105 or 1=1
This is the line of code that attackers will use:
WHERE UserId = 105 or 1=1
We know that 1=1 is true. As the above SQL command is valid, the system will list the table Users to the attacker. See another SQL Injection.
SELECT UserId, Name, Password
WHERE UserId = 105 or 1=1
SQL Injection Based on “”=”” is Always True
This is another form an SQL Injection attack. Suppose the below is a login prompt. The user needs to enter the username and the password to get logged in.
When a customer types in the username and the password, the actual server code generated is shown below.
uName = getRequestString(“UserName”);
uPass = getRequestString(“UserPass”);
sql = “SELECT * FROM Users WHERE Name ='” + uName + “‘ AND Pass ='” + uPass + “‘”
A hacker might get access to user names and passwords in a database by simply inserting ” or “”=” into the user name or password text box. The code at the server will create a valid SQL statement like this:
WHERE Name =”” or “”=”” AND Pass =”” or “”=””
As this SQL query is always true, the attacker gets logged into the website.
SQL Injection Based on Batched SQL Statements
As we know, most of the databases supports the batched SQL statements that are separated by a semicolon. This is misused by the attackers to implement a SQL injection attack.
eg: SELECT * FROM Users; DROP TABLE table1
This code will list the Users table and then delete the table table1.
Now, let’s look into the following code. It will explain how this attack is implemented.
txtUserId = getRequestString(“UserId”);
txtSQL = “SELECT * FROM Users WHERE UserId = ” + txtUserId;
Suppose the attacker inserts the below line in the text field of a text field to insert the user id,
105; DROP TABLE Suppliers
It will result in an SQL code like this.
SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers
How to Prevent the SQL Injection
Follow the below specified measures to prevent the SQL Injection attacks.
1) Use Parameterized Queries
2) Use Stored Procedures
3) Escaping all User Supplied Input
Use Parameterized Queries
In this method, the developer first needs to define the SQL code and then pass in each parameter to the query later. This will enable you to distinguish between code and the data by the database regardless of what the user is supplied.
Use Stored Procedures
The Stored Procedures are not always safe from the SQL Injection. However certain standard Stored Procedures programming constructs have the same effect as the use of parameter queries when implemented safely.
Escaping all User Supplied Input
When none of the above works, this method could be implemented. This method is very database specific. By using this technique, it escapes the user before putting it in a query. Each DBMS supports one or more-character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database using the DBMS, it will not be confused with the input with SQL code written by the developer.
If you need any further assistance please contact our support department.