Explorative Study of SQL Injection Attacks and Mechanisms to Secure Web Application Database-A Review

The increasing innovations in web development technologies direct the augmentation of user friendly web applications. With activities like online banking, shopping, booking, trading etc. these applications have become an integral part of everyone’s daily routine. The profit driven online business industry has also acknowledged this growth because a thriving application provides the global platform to an organization. Database of web application is the most valuable asset which stores sensitive information of an individual and of an organization. SQLIA is the topmost threat as it targets the database on web application. It allows the attacker to gain control over the application ensuing financial fraud, leak of confidential data and even deleting the database. The exhaustive survey of SQL injection attacks presented in this paper is based on empirical analysis. This comprises the deployment of injection mechanism for each attack with respective types on various websites, dummy databases and web applications. The paramount security mechanism for web application database is also discussed to mitigate SQL injection attacks. Keywords—Injection Attacks; SQL vulnerabilities; Web Application Attacks


INTRODUCTION
Rapid advancement in web technologies has expedited the rate of adoption of database driven web application.The backend database servers of these web applications accumulate some general data along with critical & sensitive information about organizations and clients [40].As the database is accessible from anywhere over internet makes it prone to attacks.The most hazardous attacks against database driven web applications are -SQL injection attacks [48].These attacks are very serious threat to any web application that receives inputs from user and incorporate it in to SQL queries to an underlying database [10] [38].Although web application keeps the user's data secure for making any online exchange of information but presence of vulnerabilities makes this attack feasible.SQLIA are mostly caused by the insufficient validation of user input.
An attacker can submit a query (utilizing SQL command) directly to the database which can extract categorical information depending upon the severity of vulnerability.Database is the main asset of any web application to which attackers are keenly fascinated.SQL injection is very lucrative for attackers as there is a successful black market that deal all scarcely digitally purloined data like credit card information, bank accounts detail and social security numbers etc. [21].
With a little knowledge of SQL commands and ingenious conjecture work to crucial table name SQL injection attacks can be launched.These commands alter the desired output of queries to break in to database.Injection attacks were ranked 1st attack in 2013 by OWASP (Open Web Application Security projects) in TOP ten attacks and found that 80% of web applications are Vulnerably susceptible to SQL injection attacks [14] [33][47].Before moving further, one must go through some fundamental definition for better understanding of the SQL injection attacks on web application and its underlying database [49].
Vulnerability: Vulnerabilities are the impuissance, loopholes, bugs or fault/imperfection in the subsisting system.
Attack: An attack is an illicit access i.e. a method to exploit vulnerabilities.
Threat: a series of events that utilizes the system in an unauthorized way compromising the principles of information security i.e. confidentiality, integrity and availability of the system.
Risk: Impact of the threat.Albeit many researchers and practitioners have done the survey on SQL injection attacks against database but a detailed survey is done to elaborate the other aspects of attacks against database.In this paper an endeavour is done to provide the taxonomy of SQL Injection Attacks against database of a web application.This repository is the relegation scheme of attacks which includes-Research papers, white papers, technical reports and web sites.It can become a vital auxiliary in designing the security for web application and its underlying database.
The rest of paper is organized as follows: Section 2 describes the architecture of web application.Section 3 covers SQL injection attacks preview.Section 4 explains SQL injection classification and section 5 have explorative study of SQLIA.Findings of the study are described in Section 6.Section 7 briefs the security mechanisms.Finally section 8 concludes the paper.www.ijacsa.thesai.org

II. ARCHITECTURE OF WEB APPLICATION
For the better understanding of SQLIA one must have the cognizance of web application architecture.Web applications are a set of web pages and programs which reside on a web server [17].The inputs provided by the user are sent to the server in the form of parameter string.These inputs are used to engender SQL query to retrieve information from the database.An authorized user can access it over the cyber world or over a public network and store the data in the database.A web application utilizes a web browser as an interface to extract the data from database server to accommodate the queries placed by the users [11][48].Every web application is predicated on 3 -tier architecture consisting of three layers [48] .Each layer can run potentially on a different machine and each layer should be independent of other layers.The three layers are Presentation Layer: Presentation layer contains presentation logic.It is the top most level of application and handles the interactions with users.Its main function is to receive input from the user and provide the result in a convenient way that user can facilely understand.

Business Layer:
This layer is present in between presentation layer and database layer.It is a logic layer which consists of a set of rules for processing the information between two layers.It contains application process commands which retrieves the data from database and sends to presentation layer for viewing the data.This tier can be programmed in any server scripting language like JSP, PHP, and ASP etc.
Database Layer: This is a physical storage layer for data persistence.It manages all access to database and file system.Information is stored and retrieved from database .It is then passed back to the presentation layer for processing and eventually back to the user.The main function of this layer is to provide access to authorized user and restrict the maleficent user.
Working principle of architecture: The presentation layer receives the request from web browser, processes it and then passes the dynamic part to the business layer which processes server scripting languages.All requests for database access are passed to the database server.The result is then dispatched to web browser as web pages.This architecture is easy to maintain and all the components are reusable.For the faster and smooth functioning, all the layers are governed and managed by different groups of experts.Web designer looks after the presentation layer.Software engineer does the logic and database administrator manages the database servers.

III. SQL INJECTION ATTACK-PREVIEW
The focus on implementing the functionality rather than security from internal and external environment causes the susceptibilities in web applications.These are described as most solemn threat for web application as it may allow attacker to gain access to the web application and its underlying database.The potential of attacker perforates the system to extract sensitive information.Exploitation of loopholes in the design breaches the fundamental principles of information security i.e. confidentiality, Integrity, authenticity and availability of information [39][50].Information stolen is loss of confidentiality.Loss of integrity takes place when data is modified in an unexpected manner.The Denial of service takes place when information is expunged for genuine user.Loss of authenticity means when information is accessed by unauthorized user.These attacks are application level attacks which are not obviated by firewalls [35][36][46].It is hard to detect SQL injection prior to its impact.In most of the cases the unauthorized activity is performed through a valid user credentials for accessing the critical section of database of web application.The database servers are convinced that injected code is syntactically as valid as a SQL code.The inputs provided by the user form the dynamic SQL query to access the backend database.If these inputs are not opportunely sanitized, they can cause the web application to generate unintended outputs.The basic underlying fact is that SQL injection attacks are very easy to execute without any professional training.
Consider the following SQL statement.
SELECT Emp_info from Employee where E_name='abcd' AND E_id = ‗12345'; The above query will provide the information about a particular desired employee for supplied input values but a SQL expression with injection will deport differently because the logic of the query is transmuted by the attackers, as SELECT Emp_info from Employee where E_name='abcd' AND E_id = ‗12345' OR ‗1'='1'; Because of an injection statement (OR ‗1 =1') the list of all the employees from the table in lieu of a desired output exposes the whole database.Such types of susceptibilities form the attacks [11].Example expounded above is a very fundamental injection attack.The professional attacker uses very logical and resourceful keywords to extract the data from database servers.

IV. ORGANIZATION OF SQL INJECTION ATTACKS
The objective of SQL Injection Attack (SQLIA) is to penetrate the database system into running inimical code that can reveal confidential information.This is done by injecting the SQL queries and expressions as an input string to gain an unauthorized access.SQL injection is a threat that leads to a high level of compromise -conventionally the ability to run any database query.It is web-predicated application level attacks that connects to backend database and bypass the firewall.The advantage of insecure code and deplorable input validation is clinched by the attacker to execute unauthorized SQL commands.On the substratum of attacks against the SQL Injection attacks against web application databases can be divided in four sections as follows:

1) Code Injection 2) SQL Manipulation 3) Function Call Injection 4) Buffer Overflows
Code injection is when an attacker inserts new database commands or SQL statements into user's statement.The manipulation involves modifying the SQL statement through set operations or altering the WHERE clause to return a different result.When attacker injects a customized function or already existing function into a SQL statement, that type of injection is known as function call injection.These are used to manipulate data in the database.Buffer overflows is a subset of function call injection.In several commercial applications vulnerabilities exist in database functions that may result in a buffer overflow.

a) Code Injection
In code injection, attacker attempt to add additional SQL statement or commands to the existing SQL statements.

SELECT Emp_salary FROM Employee WHERE E_name='kushagra' and E_id='abc123';
Output A salary statement of desired employee is extracted from the database.

Injection query
SELECT Emp_salary FROM Employee WHERE E_name='kushagra' and E_id='abc123'; DELETE FROM Employee WHERE username = 'kushagra'; The above query uses the stored procedure command which is inserted between original query and injected query so that the both queries executes in a single run as a single query.

Output
Information about desired employee is deleted from the database due to additional command.Based on operator precedence, the clause WHERE is true for every entry and (------) regarded as comment consequently ignored by server granting access to attacker.

Output
Information about all users is received without authorization.
It can also extract information about all the users using union query.
SELECT * FROM Employee WHERE username like '%kushagra'; UNION SELECT username FROM users WHERE username like '%'; c) Function call injection Function call injection is the insertion of functions which executes with a SQL statement.Functions which are marked as -PRAGMA TRANSACTION‖ are executed as part of a SQL SELECT statement.Using INSERT, UPDATE, or DELETE in SQL statement attacker is able to modify data in the database.By using custom functions an attacker can send information to a remote computer or execute other attacks on the database server.

Example:
A custom application has the function NEWUSER in the custom package MYAPP.The developer marked the function as -PRAGMA TRANSACTION‖, since it is marked -PRAGMA TRANSACTION‖, it can write to the database even in a SELECT statement

d) Buffer Overflow
When the process of writing data to buffer overruns the boundary of buffer and overwrites adjacent memory then an abnormality is recorded known as Buffer overflow.These injection attacks are triggered either by variations in inputs or by amending the method of program operation.The standard database functions which can be exploited through a SQL

SQL Manipulation
Buffer Overflow Functional Call www.ijacsa.thesai.orginjection are tz_offset, to_timestamp_tz, and bfilename.A buffer overflow attack is executed using the function injection methods.The very effective buffer overflow attack is denial of service [44] [52].
Example: The web process gets hanged until connection to the client is terminated.

V. EXPLORATIVE STUDY OF SQLIA
In this section the above briefed attacks are discussed in detailed with their code injecting mechanism, types and subtypes with appropriate SQL statements and queries.

A. Code Injection
Injection Mechanism: The attacker attempts to manipulate the SQL statement by injecting additional code, operator sub query in to original query.
The code injection attacks can be further divided in to four types.Above query would give errors that indicate that there is mismatch in the number of columns and their data type in the union of Objects table and the columns that are specified using ALL.The error is caused by the injected string.Another error is because the number of columns is not matching.This information is enough to penetrate the database of any web application [40] [43].

c) Additional where queries:
The attacker can also extract the information from the message displayed by the database while using an additional WHERE clause with the input string.
Example: The result of above query will provide the result to find the name of all employees working in department no 23.If the query is executed then the result is displayed otherwise there will be an error message like -subselect returned too many rows‖.Attacker can go through all the record using NOT operator.This attack is possible where users are allowed to edit user information [7]  In this type of SQLIA, an attacker exploits an injectable field that is used in a query.The query always returns result upon evaluation of a WHERE conditional parameter.The aim of this attack is to inject malicious codes into one or more conditional statements which are always evaluated to be true.All the rows in the database table targeted by the injected query returns the conditional WHERE into a tautology.
Example: It allows an attacker to log on to application without supplying a valid user name.The attacker submits ‗Abcd' OR ‗1'='1'/'A'='A' in login field and ‗-----‗in password or pin field.
The resulting query is: SELECT Emp_id FROM Department WHERE Login='Abcd' OR ‗A'='A' AND pass=‗-------‗; As the condition (OR A=A) is always true and ----is used for comments, it converts the entire WHERE clause into a tautology [38][40] [45].b) Inference: when the attacker tries extracting information from not enough secured backend database via error messages then inference injection is executed.A different method must be used by the attacker to get the response from the database since database error messages are not available without executing a query or statement .The error messages displayed by database may become useful tools for attacker to plan an attack.In this situation, the attacker injects commands and then observes the change i n function/response of application.By carefully observing the behaviour of application vulnerable parameters can be extrapolated by attacker with added information about the database.
Example: SELECT Employee from Bankers where E_number=' $%^&*!@#'and E_id ='AZ+=79%': The input provided in query is incorrect & results in an error message.The displayed error message should be like -Microsoft OLEDB provider for SQL Server (0x80040E07) error converting nvarchar value ‗E_number' to column of data type int‖.
The Information about version and schema of backend database and is reveled to attacker to plan further Inference attacks [10][40] [43].

c) Basic union queries:
This type of attack is also called statement injection attack.The attacker tricks the database server to return data that which is not intended by the authentic user.The vulnerable parameters are exploited with the help of keyword UNION, which is used to join original query and an injected query.The attacker controls the injected query completely, to retrieve information from database.The output of this attack causes the database return values which is union of two queries Example: SELECT Basic_info from Employee where user E_name='xyz' and E_id='------‗; UNION SELECT Salary _info from Employee where Emp_id= ‗1234'; The first part of the query gives null values but second part of the query returns the information of employee having id 1234 [10] [16] [40][51].

d) piggy-backed queries:
In this category the attacker's aim is not to modify the query.The addition of distinct queries with the valid query is desirable.When database receives multiple queries, shows extremely harmful results like deletion or removal of information with a harming intention.
Example: SELECT Basic_info from Employee where user E_name='xyz' and E_id='1234'; DROP table Employee; Here two queries are separated by delimiter (;).So both the queries get executed.After execution of first query the database proceeds for the injected second query.When second query executes, it will drop table ‗Employee', from database which results in potential damage to important information.In the similar manner there are various other types of queries like inserting new employees to table etc. [10][40] [45].

C. Function Call Injections
Injection Mechanism: The attacker attempts to manipulate the SQL statement by inserting database functions or custom functions into a vulnerable SQL statement [43][53].This type of injection attack has two types role function and system stored procedure If the application still returns some document i.e. it is susceptible to SQL injection attack and attacker can plan the attack accordingly [7][47].a) Stored system procedures: In this type the in-built stored procedures are attacked by attacker using malicious sql injection codes.Every database uses the stored procedures.The knowledge of running backend server allows the attacker to penetrate the system using the stored procedures.This attack is like Piggy Backed queries attack in which stored procedure command is inserted inbetween original query.The both queries execute as one.
Example: SELECT Emp_ Salary from Employee where username='abcd'; SHUTDOWN; and password='12345'; In above query SHUTDOWN is a stored procedure which causes shutdown the database.The admittance to system store procedures depends on the access privileges to user by the application [10][40][51].

D. Buffer Overflow
Injection Mechanism: The attacker attempts to manipulate the SQL statement by using database functions which are susceptible to buffer overflows.In several databases some database functions are vulnerable to buffer overflows that can be exploited through a SQL injection attack.A very efficacious denial of service attack hangs the process until the connection is terminated with the above said attack [44][52] [53].
During the preparation of this repository some other methods are encountered.These methods do not fit under any attack schema but can be used to inject malevolent code in to user's code for executing SQL injection attacks.The methods are explained as under [17][35][36][46][48] [52].a) Sophisticated Matches: One of the prevalent signatures utilized by such mechanisms is some remotely variant on the famous OR' 1'='1'attacks.Sophisticated matches technique uses alternative expression of OR' 1'='1'.For example: OR 'Unusual' = 'Unusual', OR 'Simple' ='Sim'+'ple', OR 2 > 1 and OR 'Simple' BETWEEN 'R' AND 'T' all have the same effect as OR' 1'='1'.
b) Hex Encoding: Hex encoding technique uses hexadecimal encoding to represent a string.For example, the string 'SELECT' can be represented by the hexadecimal number 0x73656c656374, which most likely will not be detected by a signature protection mechanism.c) Char Encoding: Char encoding technique uses buildin CHAR function to represent a character.For example, the string 'SELECT' can be represented by the CHAR function as char (73)+char (65) +‖LECT‖, which make it very arduous for detection system to build a signature that match it.d) In-line Comment: In-line comment technique obscures input strings by inserting in-line comments between SQL keywords.For instance, /**/UNION/**/SELECT/**/name designation can elude detection from signatures that expects white space between SQL keywords.e) Dropping White Space: Dropping white space technique obscures input strings by dropping white space between SQL5 keyword and string or number literals.For example, OR 'Simple'='Simple' works precisely the same way as OR 'Simple' = ' Simple', but has no spaces in it, make it capable of eschewing any spaces predicated signature.
f) Break Words in the Middle: With MySQL, the in-line comments would not work as supersession for a space.The inline comments can be utilized in MySQL to break words in the middle, for Instance: UN/**/ION/**/ SE/**/LECT/**/ is evaluated as UNION SELECT.

VI. FINDINGS OF STUDY
The study of the SQL injection attacks (SQLIA) against database centric web application concludes that these attacks possess the great threat.Unfiltered user inputs invite these attacks.Bypass the authentication process sanctions the attacker to postulate all privileges associated with genuine user.The Retrieval of personal and sensitive information is highly desirable by the attackers.Mostly SQL injection attacks are done to steal the sensitive information.By knowing the version and type of the database utilized by the user makes it facile for the attacker to craft a query.Sometimes the goal of attacker is to integrate the information in a database to mark one's identity; if it is done for enjoyment then no harm is caused but an attacker with destructive intention can delete the whole database.By remote command execution attacker can even

VII. SECURITY MECHANISMS
When good programming habits and eschewing methods are not sufficient for the avoidance of SQL injection attacks then some manual and automated security mechanisms are applied for the protection of web application database.These are very inimical attacks which target the most valuable assets of web application.The consequences of SQL injection attacks range from modification in data to denial of data.Researchers have proposed several techniques to contravene SQL-injection attacks which include -Code review, Defensive programming, Software hardening techniques, and Hardware extensions feature in modern processors, Attack detection and containment mechanisms and many more.These approaches are not sufficient to counter the problem of SQL injection attacks.Some security mechanisms are suggested to faceoff SQL injection attacks.

A. Detection and Prevention tool
When the techniques like defensive coding & operating system hardening [13] are not enough to stop SQLIA, some tools are required for detection and prevention of web application and its underlying database.Prevention designates to evade unauthorized user (attacker) from accessing any component of system or data.Prevention tools [26][30] [34] are runtime analysis for checking susceptibilities by placing a validation checker between web server and database server.It additionally averts the attacks that capitalize on type mismatch, sanitization of inputs and input sources withal [20] [22].Detection determines whether someone has attempted to break into your system, if yes, then up to what extent of damage may have been done.Detection tools are implemented in two approaches [18][31][37] -Static technique and Dynamic technique.Static technique [33] is applied directly without running the code, it includes approaches [6][27] [28] like -Pattern Matching, Lexical Analysis and Parsing (includes type qualifier, dataflow analysis, taint analysis and model checking).Whereas dynamic techniques [33] include approaches like-Fault injection, Fuzzy testing, Dynamic taint & Sanitization of inputs [5].Most of the approaches [31] are not implemented yet as a tool.So the scope of developing prevention tool, detection tool or the combination of both prevention and detection tool is on the cards for the researchers.

B. Instruction Set Randomization
A technique to counter SQL-injection attack, is instruction set randomization (ISR) [1][4] [12][46].The fundamental idea behind this approach is that attacker doesn't know the language spoken by the runtime environment on which an application runs, so a SQL-injection attack will ultimately fail because the foreign code, however injected, is written in a different language.An ISR to SQL injection is straightforward approach.It randomizes both the underlying runtime environment the SQL parser and the SQL program (the template that the Web application uses).A simple approach for randomizing the SQL grammar consists of appending a random numeric tag (the randomization key) to each statement and operator in SQL .This can be an efficacious way of ceasing injection attacks, but it typically requires extensive modifications to the runtime environment.

C. Intrusion Detection System and Proxy Server
Most of the SQL injection attacks are application level attacks.A model can be built to filter the SQL queries which work as security layer between database server and web server to filter the queries at run time [9][12][19] [24].Similarly a Proxy filter can be developed to intercept the HTTP request and enforce input validation so that malevolent SQL expression would be averted to send to database server [15][23] [29].Many models have been proposed by researches based on different approaches like machine learning, intended structure of SQL verbalizations, data flow analysis, identification of critical points and many more but are not sufficient to avert SQL injection attacks [29][31].So an incipient hybrid model can be proposed which may be the combination of several approaches to counter injection attacks.

D. Threat Model
Threat modeling [2][3][8] [13] is a procedure for optimizing Security by identifying objective, susceptibilities and then defining countermeasure to avert the effects of threat to the www.ijacsa.thesai.orgsystem [19].The threat modeling process customarily involves identifying information sources to be bulwarked, ingression points or access points to the system's assets, analyzing the threats, evaluating the associated risks and developing mitigation strategies [25].There are three different approaches of threat modeling -Asset centric (Find risks associated and rank the risks), Attacker centric (Find level of harm, Evaluating damage potential and risk rating) and Software centric (Decomposes the application to identify the threats and then mitigate the threats).Many more threat models [41][42] or a hybrid model (amalgamation of two or more models) can be proposed to filter the susceptibilities and malevolent SQL verbal expressions from different input sources and mitigate the attacks.

VIII. CONCLUSION
In this paper the detailed analysis is presented on various types of SQL injection attacks with related vulnerabilities and injection mechanisms.SQL Injection is a common technique that attackers employ on web based data centric applications.These attacks modify the SQL queries in a manner to alter the behaviour of application.This paper also provides the taxonomy of mechanisms for avoidance, prevention and detection from these attacks.In future work, a Threat model will be proposed as a security mechanism for securing database of web applications.

Fig. 3 .
Fig. 3. Types of code Injection attacks a) Like queries: Like query is used to compare a value to similar values using wildcard operators.Bascically two wildcards are used i) % represents zero,one or multiple characters ii) underscore ( _ ) represents a single number or character.The attacker manipulate the SQL statement using these wildcards.A Denial of Service attack can be launched with a few changes in a LIKE query by overloading the database [7][44][51].Example: SELECT Employement_No FROM Employee WHERE E_Name LIKE ‗A%'; It provides the list of all employees starting with name A or having name an alphabet A b) Column Mismatch: This particular attack occurs when there are errors like mismatch operand type or -Queries containing a UNION operator must have same number of

Fig. 4 .
Fig.4.Types of SQL manipulation a) Tautology: In this type of SQLIA, an attacker exploits an injectable field that is used in a query.The query always returns result upon evaluation of a WHERE conditional parameter.The aim of this attack is to inject malicious codes into one or more conditional statements which are always evaluated to be true.All the rows in the database table targeted by the injected query returns the conditional WHERE into a tautology.Example:It allows an attacker to log on to application without supplying a valid user name.The attacker submits FName, LName from Employees WHERE City= ‗Delhi' AND Country='India'; This query will provide first name and last of all the employees working in a particular city & country.The modified query with injected additional WHERE clause will be SELECT FName, LName from Employees WHERE City= ‗Nosuchcity' UNION ALL SELECT SomeField from SomeTable WHERE 1 = 1 AND Country = ‗USA'; Due to this insertion clause the detailed error message displayed by the database reveals the name of table and column name in error message-like Invalid column Name ‗Country' because ‗Table1' does not have a column called ‗Country'.It exposes the database with table name d) Insert subselect Queries:The insertion of a sub query into a query can also help the attacker to access all the records of the database [52].