This paper (A Classification of SQL Injection Attacks and Countermeasures) has an excellent section on Injection mechanisms – the way that sql code is modified to actually perform the injection attack – the attack vectors – user inputs
- server variables
- second order injection (seeding an sql injection into a database in order for that attack to be triggered later)
A section on attack intent, outlines the various reasons for an attacker to want to exploit the database:
- identifying injectable parameters
- performing database fingerprinting
- determining database schema
- extracting data
- adding or modifying data
- denial of service
- evading detection
- bypassing authentication
- privilege escalation
- executing remote commands
There is a section on SQLi types, which expands on the AMNESIA paper, adding:
– injecting code into a conditional statement so that it always evaluates as true
Illegal / locally incorrect queries:
– essentially generating an error in the database
– essentally adding ‘UNION SELECT <query>’ to the end of existing queries
Piggy Back queries
– essentially adding a delimiter (;) and a second query to existing queries
– executing / injecting / modifying stored procedures
– inferring information, eg exploitable parameters, when no usable error reporting is viewable
– using alternative character encoding to generate errors
There is an excellent section on detection methodologies:
- black box testing
- Static code chekers
- combined static and dynamic analysis
- new query development paradigms
- intrusion detection
- proxy filters
- instruction set randomisation
and an evaluation of tools from each of the methodologies and how they perform for each of the SQLi types.
and a very handy table to summarise the implementations of the tools
What is the paper about?
Classifying sql injection attacks into categories
Who is the intended audience?
people who need to classify attacks into categories :P
researchers mostly, possibly security professionals
Is title/abstract accurate
Is the big ‘point’ of the work clear?
yes, they identify 8 types, and explain each, and also present ‘prevention’ techniques for each type
Is there an original/significant contribution to knowledge
Its cited lots, and they have outlined prevention methods and an evaluation of these methods
Is this an extension to previous work?
yes, it gathers the classifications from others work, and adds prevention techniques and evaluates them
Are aims and objectives clearly stated?
yes, in the abstract – they want to present the various methods, and prevention techniques, and evaluate the prevention techniques
Technical aspects of critique
Has proper attention been given to the current literature
yes, they ahve an excellent background information section, and a thorough breakdown and classification of each of the techniques
Are ideas/arguments technically correct?
yes, most of the categories of SQLi I already know, but a couple were new to me!
Is empirical evidence provided?
yes, they have a table comparing various sqli detection programs (I’ll use this)
Is there a balanced presentation of the literature?
yeah, their references section is excellent, and are used throughout the paper
Is the research design/methodology clearly stated?
yeah, they have 4 sections on evaluation (though a bit short)
Has any sampling involved been carefully and thoughtfully selected?
yeah, they have examples
Is it representative? Is it likely to bias the research?
its representative, and they have both preventative and detection-based techniques and classifications
Have any ethical issues been clearly identified and handled correctly?
Has the data collection method clearly stated?
yes, they have sections on each of the evaluations
Was there a pilot study to check proposed approach?
Is the data collection method valid and reliable?
yes, its repeatable
What is the method of analysis? Clearly described and reliable?
experimentation + analysing / comparing the results
Are results clearly presented?
Are all hypotheses and any assumptions clearly stated at the outset?
yes, tables, graphs, etc
IS the paper well structured? Can you follow the arguments? Is there a good flow through the paper i.e. Is there a ‘story’?
yeah, its very good
Are technical terms/abbreviations explained?
Are tables/graphs/diagrams easy to follow and clearly signposted?
Do they aid understanding?
Is the discussion well balanced? – Not front/top heavy
Are conclusions well supported by arguments/results presented in the paper
Is the work well ‘joined-up’?
yes, it flows well
Do the authors recognise potential areas of weakness in their work?
yes, they state that further research would include evaluating the performance and accuracy of the techniques (this is what I’m doing)
How up-to-date is the work – are references current and representative of the field?
Not really, it was published in 2010, references from 2005 and earlier