CST 233 INFORMATION SECURITY AND ASSURANCE

ASSIGNMENT 1 WHITEPAPER SQL INJECTION TECHNIQUE AND HOW TO PREVENT IT

PREPARED BY: MUHAMAD AMIRUL BIN MAT HUSSAIN 106711

LECTURER: DR AMAN JANTAN

2011/2012

1. Introduction
The web is the future in conducting an organization, making a business, or even for a person to share his life and interacting with other people outside. From giving information about services provide by an organisation, e-commerce to internet banking, from art galleries to restaurant menus and opening times, and the activity a person doing everyday, the web is becoming an essential aspect in our life. Whether the site is the web presence for a large multinational organization, a gallery showing the product range and inviting potential customers to come into the shop, or a personal site exhibiting holiday photos of a person, web security matters. Therefore, web security should being a greatest concern to the people who manage the site, whom we called them as an administrators. They should know how to secure their website from being hacked or attack by the intruder or hacker. This white paper describes and outline about system intrusion attack that make through SQL Injection, that is one of the web attack mechanisms or techniques that is popular and recently used by the hacker to gain access of the website. Through the sample of real case study, this paper will state what the problem that arise when a website was being attack and come out with recommendation and best solution that can make it to prevent this attack from occur.

2. Background of SQL Injection 2.1 What is SQL Injection

Based on Justin Clarke in his book, SQL Injection Attack and Defense(2009), SQL Injection means the vulnerability that results when you give an attacker the ability to influence the Structured Query Language (SQL) queries that an application passes to a back-end database. By being able to influence what is passed to the database, the attacker can leverage the syntax and capabilities of SQL itself, as well as the power and flexibility of supporting database functionality and operating system functionality available to the database. Before that, in 2005, David Litchfield in his paper, Data Mining with SQL Injection and Inference also state that Sql Injection vulnerability is a type of security hole that is found in a multi-tiered application that it is where an attacker can trick a database server into running an arbitrary, unauthorized, unintended SQL query by piggybacking extra SQL elements on top of an existing, predefined query that was intended to be executed by the application. The application, which is generally, but not necessarily, a web application, accepts user input and embeds this input inside an SQL query. This query is sent to the applications database server where it is executed. By providing certain malformed input, an attacker can manipulate the SQL query in such a way that its execution will have unintended consequences.

2.2 History of SQL Injection

The history of SQL Injection begin on Chrismas Day in 1998 when Rain Forest Puppy write the article called NT Web Technology Vulnerabilities for Phrack 54. It is the first time this SQL Injection term was announce to the public. On February 4th in 1999, Allaire had release advisory called Multiple SQL Statements in Dynamic Queries. Then, 3 month later, Rain Forest Puppy and

Matthew Astley release advisory with title NT ODBC Remote Compromise. Again, on February 3rd in 2000, Rain Forest Puppy came out with How I hacked Packetstorm A look at hacking wwwthreads via SQL. Then, on September 2000, another researcher named David Litchfield came out with his book called Application Assessments on IIS . After then, there are many researcher that worked in this field had came out with their book or white paper concerning this technique, and still not stopping until today.

3. Investigation on Real Case Study

3.1. Problem Real Case Study : On February 26th 2012, the website of Australian miner, Lynas Corporation (www.lynascorp.com) has been hacked. The website had been instrusion by through web vandalism or also known as web defacements. Web defacement is the unauthorized change to the appearance of a web page or entire site. It can involve taking a page completely down and replacing it with something new, or injecting code to add images, popups, or text to a website that were not present before. This definition had been state by S.E Smith in the website www.wisegeek.com. This web defacement was done via SQL Injection technique that was explained on top of this paper. The website was brought down starting from February 26th, Sunday morning around 10 a.m until the Tuesday morning. The report from Australia breaking news website, (www.WAtoday.com.au) was said that at 7.30 p.m, the Lynas website was still down with the message from the company advising We are currently

experiencing some technical difficulties at the moment. (as shown in the picture below) The picture below also show what happen to this site before and after it was being defaced.

Figure 1 : The normal and current Lynass website

Figure 2 : The Lynas website after being hacked and defaced

Figure 3 : Lynas Corporation website on Monday afternoon e C ns y

3.2. Motive a the rea and ason Th motive and the reason why the Lynass website w being hacked an he s was nd defaced with that k kind of mes ssage is m most probab in a sho of oppo bly ow osition to th he near complete rare earths pr e rocessing p plant that b build at Gebeng Indus strial Estate e, Kuantan Pahang. This assum n, mption mak based on the message that display on th ke n he Lynas website dur w ring it was being def faced that clearly stat Stop Lynas, Sav te L ve Malaysia As we k a. know, in the last month this Lynas issue was being a h issue an e h, s hot nd topic th hat being talked by Malaysian citizen all over nation eithe from th n a er he governm ment side that agreed with this processing plant co t d onstruction or from th he governm ment oppos sition that disagree wit this plan In order t d th n. trying to sto this plan op nt build in Malaysia, the oppos sition side was makin a big ga ng athering ca alled Gree en Gatherin 2.0 on February 26th last month. This gathering also can b a backin ng 2 be ng prove th this is a reason why the Lyn website was bein hacked b hat w nas e ng because th he similarity that have in the tim of this g y e me gathering held and the website w brough e was ht down wa at the sa as ame day an time. nd

3.3. The Person behind the att tack The hacke who was brought down the Ly er s ynass web bsite and ta credit o ake on this attack was called as 4z1 and claim 1 ming to be as a Malay ysian citizen like as his n,

message on the Lynas website, do not hurt my country. Although his real identity cannot be reveal, but after we go through some rough searching by using his 4z1 name, we could find some information about him. We can assume he is the person who is responsible for the attacking the Lynas website, based on the information that state in his personal blog. Some information that we can collect was the person is a chinese guy, a member of evilshadow team, that is part of HackXL96 hacking group. Besides, in his personal blog on date February 25th 2012, he has write down about his opposition feelings towards the government and the Lynas issue. This all information is very useful especially to the forensic digital team in order to catch the hacker.

3.4. How the attack being done? This web defacement had been done through SQL Injection technique attack. As explained before, this attack is type of attack that takes advantage of improper coding of web applications that allows hacker to inject SQL commands, usually into a login or submitted form to allow them to gain access to the data held within the database. In other word, SQL Injection arises because the fields available for user input, allow SQL statements to pass through and query the database directly. Same with this case, the hacker also can use the input form that is available in the contact section in the main page of the website. If we try to access this website, we can see that there are some input form such as name, phone, email and others field text that available for the guest to fill in the information and then submitted to the system. So, this is the way the hacker can used the SQL Injection, because as long as the guest or user can fill in the form and submitted it, the vulnerabilities of the database can be compromise. This happen because the process when submitting the form, will directly communicate with the database query in order to update the new data that

insert in the form before. Therefore, through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the form barrier and seeing all the information behind it.

Usually, firewalls and similar intrusion detection mechanisms provide little or no defense against full-scale SQL Injection web attacks. So, since this website needs to be public, security mechanisms will allow public web traffic to communicate with this web application (generally over port 80/443). The web application has open access to the database in order to return (update) the requested (changed) information. Therefore, by using SQL Injection technique, the hacker uses SQL queries and creativity to get access to the database through the web application.

4. Solution and Recommendation

One of the best ways to provide security is to understand the weaknesses prevalent in today's Web-connected systems. However, ignorance has become the biggest restraint when it comes to securing these systems, whether it is ignorance on the part of the security professional who just deploys vendor-recommended patches and solutions or ignorance on the part of the end user, who simply does not understand how security threats impact operations.

Therefore, for these kind of website problem that used the SQL Injection to attack, the recommendation solution that can use to prevent this attack from occur is firstly make a defense in the application which means concerning with the SQL databases itself. There are quite a few approach that can be use to prevent this attack and one of them is by make an input filtering to the SQL databases. The administrators of the web systems can just employ the filter that prevents characters like single or double quotes, backslashes, colons and so on from being passed from web form into the SQL server. Besides that, by only allow the numeric values that are integers to be passed to the SQL server, such as using ISNumeric command to validate the input, the admin can also prevent the system from the SQL Injection attack.

Secondly, the solution that can make by the administrator of the system to prevent their system from being hacked by the SQL Injection attack is make a defense in the network. In certain situation, application cannot be updated to handle user supplied data in a secure manner. In this condition, the administrator or developer can add security to the application existence by securing technologies in the network such as using Instrusion Prevention Systems and Web Application Firewalls. By using

10

Instrusion Prevention System (IPS), it may be possible to detect and prevent the SQL Injection attack, but to make it effective, it must have the visibility into the traffic of the application.

Therefore, the Cisco Intrusion Prevention System is recommend for the administrator to use because currently it have some of the signatures that may indicate the presence of the SQL Injection attack.

Web Application Firewall (WAF), is also one of the option that the administrator of the web system can choose to enhance the security of their web system and prevent it from SQL injection attack. The Web Application Firewall is a network device that seek to filter traffic that is destined to web application at the layer seven in the OSI model. It is have the ability to detect and filter many types of malicious application traffic including SQL injection attack. What is the good about this device is it also possible to terminate the encrypted HTTPS session to allow application inspection of HTTPS traffic.

Lastly, in addition to the approach that can make to prevent the web system from being hack or attack, the administrators or developer of the web system themselves should know more about how to secure their web system and always make an effort to gain more knowledge in the security field in other to make sure they can easily find the error in their system if it has being hack and importantly they can take a immediate respond or action to stop the problem and back to their foot again as usual.

11

5. Conclusion
As a conclusion, this paper has describe and explain what is about the SQL Injection attack that is most commonly technique used by the hacker to gain access to the website and then take it as a first step to launch an intrusion attack to a web system. In this paper, one of the instrusion attack that is web defacement have been learned and discussed in depth through the real case study that happen to the Lynas Corporation official website that was being attack on last February 2012. The problem that arise when this instrusion attack occur, also have been state in this paper and finally came out with the proper solution that can be use by the administrator or developer of the web system to prevent their web systems from being attack by this SQL Injection technique.

12

References
1. Justin Clarke, 2009. SQL Injection Attack and Defense, Syngress, Boston. 2. David Litchfield, 2005. Data Mining with SQL Injection and Inference, NGSSoftware Insight Security Research (NISR) Publication. 3. Rania Spooner. February 27. Australian Miner Hacked. Available at : http://www.smh.com.au/wa-news/australian-miner-hacked-

20120227-1tyn0.html 4. S.E Smith and Shereen Skola, August 16. What is a Website Defacement? Available at : http://www.wisegeek.com/what-is-a-website-defacement.htm 5. Test Center, CRN, September 4. 4 Tips for Stopping SQL Injection Attacks. Available at : http://www.crn.com/news/security/201803974/4-tips-for-

stopping-sql-injection-attacks.htm?pgno=1 6. Tim Sammut, Cisco Security Inteligence Operations. Understanding SQL Injection. Available at : http://www.cisco.com/web/about/security/intelligence/sql_injection.html

13