Question

Database Security
a) Identify and briefly explain three main threats to database security

b) Give an example of SQL injection where an SQL SELECT statement has been manipulated to bypass authentication

Answer 1

Answer :

I have mentioned all the important threats learn 3 from them and have a look on rest of them.

A)Database Security Threats:

Excessive privileges:- When users (or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access to confidential information. The solution to this problem is query-level access control. Query-level access control restricts privileges to minimum-required operations and dataPrivilege abuse: Users may abuse legitimate data access privileges for unauthorized purposes. The solution is access control policies that apply not only to what data is accessible, but how data is accessed. By enforcing policies for time of day, location, and application client and volume of data retrieved, it is possible to identify users who are abusing access privileges.

Unauthorized privilege elevation

Attackers may take advantage of vulnerabilities in database management software to convert low-level access privileges to high-level access privileges.

Platform vulnerabilities

Vulnerabilities in underlying operating systems may lead to unauthorized data access and corruption. For example, the Blaster worm took advantage of a Windows 2000 vulnerability to take down target servers. IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities.

SQL injection

SQL injection attacks involve a user who takes advantage of vulnerabilities in front-end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database.

Denial of service

Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption.

Malware

Cybercriminals, state-sponsored hackers, and spies use advanced attacks that blend multiple tactics – such as spear phishing emails and malware – to penetrate organizations and steal sensitive data. Unaware that malware has infected their device; legitimate users become a conduit for these groups to access your networks and sensitive data.

Storage Media Exposure

Backup storage media is often completely unprotected from attack. As a result, numerous security breaches have involved the theft of database backup disks and tapes. Furthermore, failure to audit and monitor the activities of administrators who have low-level access to sensitive information can put your data at risk. Taking the appropriate measures to protect backup copies of sensitive data and monitor your most highly privileged users is not only a data security best practice, but also mandated by many regulations.

Weak authentication

Weak authentication schemes allow attackers to assume the identity of legitimate database users. Specific attack strategies include brute force attacks, social engineering, and so on. Implementation of passwords or two-factor authentication is a must. For scalability and ease-of-use, authentication mechanisms should be integrated with enterprise directory/user management infrastructures.

B)

Types of SQL Injection Attacks with Examples:

SQL injection attacks can be carried out in a number of ways. Attackers may observe a system’s behavior before selecting a particular attack vector/method.

Unsanitized Input

Unsanitized input is a common type of SQLi attack in which the attacker provides user input that isn’t properly sanitized for characters that should be escaped, and/or the input isn’t validated to be the type that is correct/expected.

For example, a website used to pay bills online might request the user’s account number in a web form and then send that to the database to pull up the associated account information. If the web application is building a SQL query string dynamically with the account number the user provided, it might look something like this:

            “SELECT * FROM customers WHERE account = ‘“ + userProvidedAccountNumber +”’;”

While this works for users who are properly entering their account number, it leaves the door open for attackers. For example, if someone decided to provide an account number of “‘ or ‘1’ = ‘1”, that would result in a query string of:

            “SELECT * FROM customers WHERE account = ‘’ or ‘1’ = ‘1’;”

Due to the ‘1’ = ‘1’ always evaluating to TRUE, sending this statement to the database will result in the data for all customers being returned instead of just a single customer.

Blind SQL Injection

Also referred to as Inferential SQL Injection, a Blind SQL injection attack doesn’t reveal data directly from the database being targeted. Rather, the attacker closely examines indirect clues in behavior. Details within HTTP responses, blank web pages for certain user input, and how long it takes the database to respond to certain user input are all things that can be clues depending on the goal of the attacker. They could also point to another SQLi attack avenue for the attacker to try.

Out-of-Band Injection

This attack is bit more complex and may be used by an attacker when they cannot achieve their goal in a single, direct query-response attack. Typically, an attacker will craft SQL statements which, when presented to the database, will trigger the database system to create a connection to an external server the attacker controls. In this fashion, the attacker can harvest data or potentially control behavior of the database.

A Second Order Injection is a type of Out-of-Band Injection attack. In this case, the attacker will provide an SQL injection that will get stored and executed by a separate behavior of the database system. When the secondary system behavior occurs (it could be something like a time-based job or something triggered by other typical admin or user use of the database) and the attacker’s SQL injection is executed, that’s when the “reach out” to a system the attacker controls happens.