What are different aspects of Inference SQL injection attack?

SQL injection attacks nowadays are rising up by a huge mark in the cyber world, making a huge number of web sites and web applications its poor victims. Few years back the SQL injection attacks were not much in news but, now they have come to top the web’s vulnerabilities chart.

SQL injection attacks have emerged as a popular and notorious means for harming the security of the websites and web applications. 

Actually how exactly an SQL injection attack come in to affect? 

- In a typical SQL injection attack, some statements written in SQL language serve as input to a web form.

- This is done in order to obtain a web site or application that will carry out operations on the targeted data base.

- Such fake obtained web sites via the SQL injections are often badly designed. 

- The attacker employs this badly designed web site to get the access to the private data base contents. 

- It is a kind of code injection technique and that is often set for exploiting the security vulnerability in the software of the web site or web application. 

When does an injection attack occurs?

An injection attack occurs through two usually committed mistakes which are:

1. Incorrect filtering of the input by the user for entering the escape characters in string literals which are embedded in the vicious SQL statements. Here then emerges a scope for the potential manipulation of SQL statements which is done by the end user who is using the data base.

2. The unexpected execution or running of the input entered by the user that has not been strongly typed. This is commonly referred to as incorrect type handling. The constraints are then left unchecked.  

Approaches of Inference SQL Injection Attack

The SQL inference injection attacks are usually used for mining of data. There are 3 approaches that are used for data mining following inference SQL:

1. In band approach: The in band approach involves the extraction of data via an already existing path between the application and the attacker. For example, returning the data in a well rendered error message or web page.

2. Out of band approach: The out of band approach involves the creation a new path between the application and the attacker. This is actually worked out by establishing a connection between the data base server and the client by employing a network function such as HTTP, data base connection, e mail and so on.

3. Inference: Inference does not involve any direct transfer of any actual data rather the value of the data is inferred directly by calculating the differences between the responses from the attacker as well as the application. This is generally done by revoking several questions. Deliberate differences between the two responses are generated based up on the answers to the revoked questions. 

About the Inference SQL Injection Attack

1.The inference approach can also be used at the bit level and it makes use of properties such as status of the web server, time and difference in the content.

2.Making use of these properties, it enables the attacker for correctly inferring the data values.

3.Inference SQL injection has proven to be a great mile when it comes to the extraction of the data using SQL injections. 

4.It came to be extremely useful when the other two methods for data retrieval i.e., in band and out of band didn’t prove to be successful. 

5.The inference SQL attacks only affect the SQL servers and they are quite slow due to time delay. 

6.Since 2002 no remarkable improvements have been witnessed in the field of inference SQL.

7.The inference SQL injection attacks have an added advantage which is that they can be employed in any SQL injection situation. 

8.When a specific query is injected in to an ADQ (application defined query), the web server generates a response code depending up on the data values. 

9.It is quite common for an attacker to initially look for exploiting the SQL injection vulnerability by using the in band results.

10.But this not feasible every time since in some situations time is the major factor, in such situations out of band or inference methods are deployed. 

11.Not only data, but logic can also be inserted in to the query of the application.

12.In this the output of the application can be controlled and based on this output the stored values can be inferred from the data base.

13.The creation of an SQL inference attack is based on the sophistication of the information that the attacker has regarding it beforehand. 

14.The inference SQL attack through the web server response codes present a major problem which is that they can be quite easily be detected by the good web server administrators.

15.But, the attackers are so clever that they have figured out another such inference attack called content manipulation inference attack.

16.Using this, they are able to keep the response code constant while simultaneously changing the web site content. 

What are the tips needed by web application against SQL attacks?

SQL injection attacks are one of the top 10 security vulnerabilities for web sites and applications as it has been declared by the open source web security. Being such a great threat, few measures have been designed to curb this SQL injection attack thing.

FACTORS CONTRIBUTING TO SQL INJECTION ATTACKS
SQL injection attacks are so very common these days. It is probably due to two main factors:

- The prevalence of the vulnerabilities related to SQL injection attacks are significant.
- The target of the SQL injection attacks i.e., web site’s or web application’s data base appears very attractive and useful to the attackers since it contains all the critical as well as sensitive data of the site or the application.

SQL INJECTION MEASURES
Here we are going to discuss those SQL injection measures.
- First thing to avoid the SQL injection attacks is to understand how exactly these attacks occur.
- An SQL injection attack occurs whenever a query is created by the dynamic data base of the web site.
- These queries contain nothing but the input entered by the user.
- When you know what actually is making it easy for the attackers to carry out an SQL injection attack on a web site or web application, it seems very easy to avoid the SQL injection attacks.

HOW TO AVOID SQL INJECTION ATTACK
There are 2 ways for avoiding the attacks which have been discussed below:

1. Dynamic queries should not be written. Some alternative for dynamic queries can be used.
2. The input supplied by the end user for malicious SQL statements. Queries containing such statements should be prevented from entering in to the data base as it will affect the code logic used in the query.

The above two ways can be used with any of the available programming languages and also with data bases of any type.

DEFENSE TECHNIQUES TO AVOID SQL ATTACKS
There are some primary defense techniques which you can follow to avoid SQL injection attacks. They have been stated below:

Defense 1:
- Escaping the input supplied by the user.
- Here the query statements are already prepared by the web site or web application developer.
- These queries are very easy to understand and also do not require much efforts like the dynamic queries.
- This method is implemented as follows.
- The developer is first asked to define the code for all the SQL statements.
- The defined code is then passed in to the respective parameter later when required.
- This technique grants the data base the ability to distinguish between the data and the code irrespective of what data the user has entered.

Defense 2:
- The web sites and web applications can make use of pre- designed queries or parametric queries.
- This approach is used when the other two fail.
- But, this is not much strong as the other two approaches.

Defense 3:
- The web sites and web applications can make use of pre- designed procedures.
- They are implemented in a way similar to that of the prepared statements.

In addition to these primary defense techniques, there are some additional defense measures which can be followed as well if you are not satisfied with the security offered by the primary defense techniques:

ADDITIONAL DEFENSE MEASURES

- Provide the least valued privileges.
- The web site or application developer can carry out a white list check for validation of the input queries. This proves to be effective since the non validated parameter which when appended to a query generated by the user, allows the attacker to inject the malicious SQL statements in to the data base of that particular web site or application. This method of injecting SQL statements in to the data base is used quite often by the attackers.

What are different aspects of SQL injection attacks?

SQL is the most rated vulnerability of today’s software world. SQL injection is emerging as a popular means for harming the security of the websites.

How exactly an SQL injection attack takes affect?

- In an SQL injection attack, some statements written in SQL language are inputted in a web form.
- This is done to obtain a web site that will carry out operations on the data base.
- Such obtained web sites through SQL injections are often badly designed.
- The attacker uses this badly designed web site to get the access of the data base contents.
- The web site can be used to carry out other operations also as desired by the attacker.
- It is a kind of code injection technique and is often employed for exploiting the security vulnerability in the software of the web site.

An injection attack occurs through two common mistakes which are:

1. Incorrect filtering of the user input for escape characters in string literals which are embedded in the SQL statements. Here becomes a scope for the potential manipulation of SQL statements. The manipulation is done by the end user who is using the data base.

2. The unexpected execution of the input entered by the user that has not been strongly typed. This is referred to as incorrect type handling. The constraints are left unchecked.

What can a SQL injection attack do?

- The SQL commands designed by the attacker are injected in to the data base of the web site or application via a web form through any of the two methods.
- These commands are capable of changing the content of the data base or they can even dump to the attacker’s wish.
- SQL injections attacks can even attack SQL databases rather than only attacking the web sites or web applications.
- SQL injection attacks can be prevented by the use of structured query language which is well designed and defined.
- Such attacks are usually aggressive. SQL injection attack is abbreviated to SQLIA.

According to a research, under normal usage an application experiences 71 attempts per hour in contrast to the 800- 1000 attempts per hour under a direct attack.

SQL injection attack has been declared by open web application security project as one of the top 10 vulnerabilities. It can be divided into 5 sub categories as listed below:

- Classic SQL injection attack
- Interactive SQL injection attack
- Inference SQL injection attack
- Compounded SQL injection attack and
- DBMS specific SQL injection attack

Types of SQL Injection Attack

- Classic SQL injection attack is not feared today since it has become out- dated.
- But, still many web sites and web applications are precautious against it.
- Inference SQL injection attack continues to be a great threat.
- Attackers mostly prefer this method since it is very flexible in deployment and dynamic in nature.
- Compounded SQL injection attack is a new kind of SQLIA.
- It is resultant of combination of SQL injection and web applications such as:

a) DOS attacks + SQL injection
b) DNS hijacking + SQL injection
c) Improper authentication + SQL injection
d) XSS + SQL injection

- A representation of compounded SQL injection attack is provided by the storm worm.
- The DBMS specific SQL injection attack is often considered as supportive.
- There is another kind of SQL injection called blind SQL injection attack which is used to defend a web site or application on verge of being attacked.
- The results of the SQL injection attack are made invisible to the attacker.
- This injection attack is time intensive.

Today several automated tools have also been developed for automation of these attacks. But, that also requires the location of the target information.

Structured Query Language (SQL)

The structured query language (SQL) is the language used to query and manipulate information within a SQL Server database. SQL is actually an ISO and ANSI standardised language. However, a lot of RDBMS software use their own proprietary extensions within their own Transact-SQL (T-SQL) variant of SQL.

The basic building block of the structured query language is the SQL statement. Using statements, information in a database can be manipulated and queried.
* CREATE - a data structure.
* SELECT - read one or more rows from a table.
* INSERT - one or more rows into a table.
* DELETE - one or more rows from a table.
* UPDATE - change the column values in a row.
* DROP - a data structure.

Language Structure :
SQL is a keyword based language. Each statement begins with a unique keyword. SQL statements consist of clauses which begin with a keyword. SQL syntax is not case sensitive.
The other lexical elements of SQL statements are:
* names -- names of database elements: tables, columns, views, users, schemas; names must begin with a letter (a - z) and may contain digits (0 - 9) and underscore (_)
* literals -- quoted strings, numeric values, date time values.
* delimiters -- + - , ( ) = < > <= >= <> . * / || ? ;
Basic database objects (tables, views) can optionally be qualified by schema name. A dot -- ".", separates qualifiers: schema-name . table-name
Column names can be qualified by table name with optional schema qualification.

Syntax of Simple SELECT : SELECT column FROM tablename
- Using "Where"
SELECT EMPLOYEEIDNO
FROM EMPLOYEESTATISTICSTABLE
WHERE SALARY >= 50000;
- Compound Conditions
SELECT EMPLOYEEIDNO
FROM EMPLOYEESTATISTICSTABLE
WHERE SALARY < 40000 OR BENEFITS < 10000;
- Using "IN"
SELECT EMPLOYEEIDNO
FROM EMPLOYEESTATISTICSTABLE
WHERE POSITION IN ('Manager', 'Staff');
- Using "Between"
SELECT EMPLOYEEIDNO
FROM EMPLOYEESTATISTICSTABLE
WHERE SALARY BETWEEN 30000 AND 50000;
- Using "LIKE"
SELECT EMPLOYEEIDNO
FROM EMPLOYEEADDRESSTABLE
WHERE LASTNAME LIKE 'L%';