A Classification of SQL Injection Attacks and Countermeasures

This paper (A Classification of SQL Injection Attacks and Countermeasures) has an excellent section on Injection mechanisms – the way that sql code is modified to actually perform the injection attack – the attack vectors – user inputs

  • cookies
  • server variables
  • second order injection (seeding an sql injection into a database in order for that attack to be triggered later)

A section on attack intent, outlines the various reasons for an attacker to want to exploit the database:

  • identifying injectable parameters
  • performing database fingerprinting
  • determining database schema
  • extracting data
  • adding or modifying data
  • denial of service
  • evading detection
  • bypassing authentication
  • privilege escalation
  • executing remote commands

There is a section on SQLi types, which expands on the AMNESIA paper, adding:

tautologies:

– injecting code into a conditional statement so that it always evaluates as true

Illegal / locally incorrect queries:

– essentially generating an error in the database

Union queries

– essentally adding ‘UNION SELECT <query>’ to the end of existing queries

Piggy Back queries

– essentially adding a delimiter (;) and a second query to existing queries

Stored procedures

– executing / injecting / modifying stored procedures

Inference

– inferring information, eg exploitable parameters, when no usable error reporting is viewable

Alternate encodings

– using alternative character encoding to generate errors

There is an excellent section on detection methodologies:

  • black box testing
  • Static code chekers
  • combined static and dynamic analysis
  • new query development paradigms
  • intrusion detection
  • proxy filters
  • instruction set randomisation

and an evaluation of tools from each of the methodologies and how they perform for each of the SQLi types.

A Classification of SQL Injection Attacks and Countermeasure
A Classification of SQL Injection Attacks and Countermeasures
A Classification of SQL Injection Attacks and Countermeasure
A Classification of SQL Injection Attacks and Countermeasures

and a very handy table to summarise the implementations of the tools

A Classification of SQL Injection Attacks and Countermeasure

==========

What is the paper about?

Classifying sql injection attacks into categories

Who is the intended audience?

people who need to classify attacks into categories :P

researchers  mostly, possibly security professionals

Is title/abstract accurate

yes

Is the big ‘point’ of the work clear?

yes, they identify 8 types, and explain each, and also present ‘prevention’ techniques for each type

Is there an original/significant contribution to knowledge

Its cited lots, and they have outlined prevention methods and an evaluation of these methods

Is this an extension to previous work?

yes, it gathers the classifications from others work, and adds prevention techniques and evaluates them

Are aims and objectives clearly stated?

yes, in the abstract – they want to present the various methods, and prevention techniques, and evaluate the prevention techniques

Technical aspects of critique

Has proper attention been given to the current literature

yes, they ahve an excellent background information section, and a thorough breakdown and classification of each of the techniques

Are ideas/arguments technically correct?

yes, most of the categories of SQLi I already know, but a couple were new to me!

Is empirical evidence provided?

yes, they have a table comparing various sqli detection programs (I’ll use this)

Is there a balanced presentation of the literature?

yeah, their references section is excellent, and are used throughout the paper

Is the research design/methodology clearly stated?

yeah, they have 4 sections on evaluation (though a bit short)

Has any sampling involved been carefully and thoughtfully selected?

yeah, they have examples

Is it representative? Is it likely to bias the research?

its representative, and they have both preventative and detection-based techniques and classifications

Have any ethical issues been clearly identified and handled correctly?

nope

Has the data collection method clearly stated?

yes, they have sections on each of the evaluations

Was there a pilot study to check proposed approach?

nope

Is the data collection method valid and reliable?

yes, its repeatable

What is the method of analysis? Clearly described and reliable?

experimentation + analysing / comparing the results

Are results clearly presented?

Are all hypotheses and any assumptions clearly stated at the outset?

yes, tables, graphs, etc

Presentaton

IS the paper well structured? Can you follow the arguments? Is there a good flow through the paper i.e. Is there a ‘story’?

yeah, its very good

Are technical terms/abbreviations explained?

yes

Are tables/graphs/diagrams easy to follow and clearly signposted?

yes

Do they aid understanding?

yes

Is the discussion well balanced? – Not front/top heavy

yes

Are conclusions well supported by arguments/results presented in the paper

Is the work well ‘joined-up’?

yes, it flows well

Do the authors recognise potential areas of weakness in their work?

yes, they state that further research would include evaluating the performance and accuracy of the techniques (this is what I’m doing)

How up-to-date is the work – are references current and representative of the field?

Not really, it was published in 2010, references from 2005 and earlier

Leave a Reply