SQL Injection - A Problem old, still present.​

Summary:

This article aims to demonstrate that the vulnerability caused by incorrect implementations in the application code, are still in use,
although there are already good practices that, if applied, prevent or mitigate the SQL Injection threat from happening.

Introduction

First of all, what would be the definition of SQL Injection ? As described in
Wikipedia, that would be the classic definition:

SQL Injection is a type of threat of security that takes advantage of failures in interacting systems with databases through
SQL commands, where the attackeris able to insert an improper custom SQL statementinside a query (SQL query) through data entries
from an application, such as forms or an application URL.

Source: https://pt.wikipedia.org/wiki/Injeção_de_SQL

According to this link( https://www.esecurityplanet.com/networks/how-was-sql-injection- discovered/ ), the first case of SQL Injection was investigated in 1998. So, na At the present date of this article, we are talking about a threat that has been known for 23 years. AND in the next section, we will show that it is still present.

There is threat, currently

Recently, a contributor to our DBA Team sent me the link below with the ranking of various vulnerabilities in applications:

https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html

The Common Weakness Enumeration (CWE™) is a community dedicated to identifying
software and hardware vulnerabilities, helping their classification and
categorization. In the above work, CWE used the following databases
National Vulnerability Database (NVD) of the National Institute of Standards and
Technology (NIST):

  • Common Vulnerabilities and Exposures (CVE®).
  • Common Vulnerability Scoring System (CVSS)

The SQL Injection threat, classified with the code CWE-89 appears in the position
number 6. A 23-year-old problem still ranks in the top 10, along with
more recent and modern “vulnerabilities”.

The subject is still explored by the Academy, as can be seen in recent articles:

R. Zuech, J. Hancock and T. M. Khoshgoftaar, “Detecting SQL Injection Web Attacks Using Ensemble Learners and Data Sampling,” 2021 IEEE International Conference on Cyber Security and Resilience (CSR), 2021, pp. 27-34, doi: 10.1109/CSR51186.2021.9527990.
Z. Marashdeh, K. Suwais and M. Alia, “A Survey on SQL Injection Attack: Detection and Challenges,” 2021 International Conference on Information Technology (ICIT), 2021, pp. 957-962, doi: 10.1109/ICIT52682.2021.9491117.
Max Maaß, Henning Pridöhl, Dominik Herrmann, and Matthias Hollick. 2021. Best Practices for Notification Studiesfor Security and Privacy Issues on the Internet. In The 16th International Conference on Availability, Reliability and Security (ARES 2021). Association for Computing Machinery, New York, NY, USA, Article 90, 1–10. DOI: https://doi.org/10.1145/3465481.3470081
Vivien Weinfurter, Amrei Sophia Kirmaier, Philipp Brune, and Bianca Bergande. 2021. Raising Awareness for IT Security in Higher Education – A Teaching Experiment on SQL Injection for Non-Computer Science Majors. Proceedings of the 26th ACM Conference on Innovation and Technology in Computer Science Education V. 2. Association for Computing Machinery, New York, NY, USA, 619–620. DOI: https://doi.org/10.1145/3456565.3460035
Vivien Weinfurter, Amrei Sophia Kirmaier, Philipp Brune, and Bianca Bergande. 2021. Raising Awareness for IT Security in Higher Education – A Teaching Experiment on SQL Injection for Non-Computer Science Majors. Proceedings of the 26th ACM Conference on Innovation and Technology in Computer Science Education V. 2. Association for Computing Machinery, New York, NY, USA, 619–620. DOI: https://doi.org/10.1145/3456565.3460035

Preventive measures

SQLi was initially not a vulnerability. From a programming point of view, initially it is simpler to assemble an SQL statement by concatenating “strings” and variables than using “prepared statments”
I remember that, at one time, the PHP language was reputed to facilitate SQL Injection. Perhaps because of its popularity. But, this facility is applicable for any programming language.

When, a few years ago, we received the mission to develop a system in PHP with Oracle, I had the concern to explore this subject. Fortunately, the
Oracle released an ebook, which demonstrated the correct way to program to mitigate SQLi.

The book is available at this link:
https://www.oracle.com/database/technologies/underground-php-oracle-manual.html

The example above, taken from the book, shows one of the side effects of using the code. more secure. The developer
writes more. Write dynamic SQL with several SQL Injection – An old problem, still present.5Filter options make code denser.
But on the other hand safer.

Some newer languages like Javascript supported by Node.js also offer alternatives to avoid SQLi. Oracle, for example, has developed a add-on for Node.js called node-oracledb that allows the execution of prepared statments with bind variables.

Fonte: https://oracle.github.io/node-oracledb/doc/api.html#bind

Obviously, the examples above demonstrate the use of lower-level code,
with explicit SQL declaration and direct access to the database.

The action plan to mitigate SQLi can be proposed for two areas, as is described below.

Actions by the Development Area

  • Use “Prepared Statements” instead of SQL with concatenation of variables;
  • Handle form input fields, checking data types,
    limiting the size of input data, parsing and replacing characters
    specials etc;
  • Use an ORM (Object Relational Mappers) framework such as Hibernate, Entity
    Framework, Sequelize, etc… Practically all programming languages
    most popular have an ORM framework available;
Note: The ORM facility can have a side effect, which may cause some concern to the DBA. This effect is the emergence of giant SQLs that burden the database. But if the code is available, there are alternatives to optimization.

Actions by the Infrastructure Area

The action plan to mitigate SQLi can be proposed for two areas, as is described below.
  • Monitor the SQL code executed in the database and notify the Area of
    Development on suspicious or costly SQLs (task performed by Polo
    IT through DBA CENTER!);
  • Use a WAF (Web Application Firewall). It doesn’t necessarily detect a
    SQLi, but when analyzing the URLs that are submitted to the system, it can
    identify malicious URLs that could potentially execute an SQLi.
  • Use Database Firewall. This product, among other features, detects
    potential threats with SQLi. There are several suppliers that cater to the
    most popular databases. to Polo IT recommends using Oracle Database
    Firewall, which in addition to working with Oracle, supports SQL Server, PostgreSQL,
    MySQL, DB2 and other products (
    https://www.oracle.com/pt/database/technologies/security/audit-vault-firewall.html).
  • Limit permissions on tables in a system, especially on tables
    data dictionary reviews as well as business critical tables. It is
    activity is a joint work between the Development Area and the DBA.
    Many systems have their application user with DBA privilege,
    SYSADMIN or similar. If the hacker is successful in SQLi, the possibility of it
    extracting information that might extend your attack radius would be minimized by
    if you take this approach.
  • Encrypt sensitive columns. Many databases, with information from
    login and password were captured through SQLi, and the password column was with
    the text in its literal form. Obviously, a more technical hacker when realizing that
    the data is encrypted, it can search for the key to decrypt, but the
    depending on how this technique was implemented, this task will be much more
    difficult to implement.

Conclusion

Dealing with possible SQLi situations is just one of the many activities that IT area needs to be concerned about security issues. and at the moment current, with the General Data Protection Law, this matter must be dealt with extreme care and attention. This article demonstrates that the problem is current, and that the The effort to mitigate it is not restricted to the Development Area. Polo IT, as a company specialized in Databases, it is available to provide expert advice and support organizations to become more secure.

Constantine Jacob Michael
Partner and technology manager at Polo IT
DBA and Database Teacher
Oracle Autonoumous Database Cloud Specialist
Oracle Cloud Infrastructure Architect