Subscribe by Email


Tuesday, March 13, 2012

What are different aspects of Compounded SQL injection attack?

Till now so many types of SQL injection attacks have been identified. But, there is one type of SQL injection type which results in to different kinds of combinations of the other SQL injection attacks. This type of SQL injection attacks are commonly known as the compound SQL injection attacks.

This type of SQL injection attack has been derived from rigorous research and experimenting with the different SQL injection attack vectors putting them in different combinations with the various other web application attacks.

Some of the most commonly employed combinations are:

1. SQL injection + XSS cross site scripting
2. SQL injection + DDos attacks
3. SQL injection + insufficient authentication
4. SQL injection + DNS hijacking

Compounded SQL Injection Attack

- SQL is a language developed for interacting with the data base of the applications and web sites.

- The functions are mainly defined to retrieve the data from the data bases or to update the contents of the existing data bases.

- It uses compound conditions basically that make use of AND or OR.

- A compound statement is used to group all the other statements so as to constitute an executable block.

- SQL variables can be declared in an atomic compound statement that has been dynamically developed.

- A compound statement can be easily embedded in to SQL functions, SQL methods, trigger etc.

- To invoke a dynamic compound statement no privileges are required, although the authorization ID of the compound statement needs to include all the privileges required invoking the other SQL statements that form a part of that particular compound statement.

- Most of the compilers compile the compound statements as one single statement since this technique proves effective for the short scripts that do not require little control flow logic though a great data flow.

- For larger scripts or constructs, it’s better to use the SQL procedures.

- The “discretize” function is quite a simple one and is often used for the classification and modification of the data and gives back a NULL value for the malicious data.

- Later this malicious data is cleansed up by the compound statement.

- Most of the mechanisms can be elaborated using the technique of multi stage cleansing.

- The advantage of the compound statement is that here the FOR loop neither does open up a cursor nor the single row inserts are treated so.

- Here the underlying logic is of a multi table insert that has been selected previously.

- This advantage is reaped by compiling the dynamic statement as a single one.

- In contrast to this dynamic compound statement, there’s another type called Compounded SQL embedded statement.

- These statements can only be embedded in to the applications.

- In contrast to the dynamic statements, these cannot be prepared dynamically.

- These statements do not required any special privileges for invocation.


No comments:

Facebook activity