Tools That Susan The Hacker Could Have Used To Automated Her Attack. Case Study Example

Introduction:

The Structured Query Language (SQL) is a text based database manipulation language used when interacting with a database server. SQL commands such as CREATE, INSERT, UPDATE, RETRIEVE, and DELETE are used by programmers and database administrators to manipulate databases in database servers (EC-Council, 2010).
SQL injection refers to a technique used to take advantage of vulnerabilities introduced by non-validated input. These vulnerabilities allow attackers to insert SQL commands through the web application forms, and the commands are executed on a back-end database. Programmers use sequentially executed SQL commands with parameters supplied by the web client thus making it easy for potential attackers to inject/insert commands. Once access is gained, attackers can query the database server using random SQL queries inserted via a web application (EC-Council, 2010).
Steps taken by Susan in her attack on the E-shopping4u.com website.
The prerequisites for Susan’s attack were a computer with an Internet connection and a web browser installed. The case study also informs us that Susan had gone online and read about the vulnerabilities of the shopping site on an online forum.
The first step Susan took was to access the E-shopping4u.com website where she went to the login page which had a user registration input form. The next step was to check whether the site was vulnerable as stated in the forum. For this step, Susan might have checked for Object Linking and Embedding, Database (OLE DB) or SQL errors (depending on the database server used) by inserting a single quote (‘) in the user registration form inputs as username and password, and then trying to submit the data. Since the site was already vulnerable, an SQL error message was definitely displayed which is an indicator that the site was indeed vulnerable to SQL injection attacks. The final step taken by Susan was to insert her crafted SQL statement into the username and password sections of the login form which gave her access to the entire sites database.

There are several tools used to automate SQL injection attacks. Among the numerous tools, Susan could have used Sqlmap or Pangolin. Sqlmap is a penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities in database servers. The tool is open source and has a powerful detection engine. It also has a variety of top-class features for ultimate penetration testing with a variety of switches ranging that allow over fetching of data from databases, database fingerprinting, and even accessing the underlying file and operating systems which allows users to execute commands on the operating system remotely. The tool also supports all major database systems such as MySQL, Microsoft Access, Oracle, and Microsoft SQL Server among others (Sqlmap.org, 2015).
Pangolin is an SQL injection test tool usually used for ensuring database security but also exploits SQL injection vulnerabilities. The tool detects and informs the user/attacker on the SQL flaws in web applications. Once the tool detects these flaws on the target host/site, the user can execute a variety of extensive operations on the back-end database system which include database fingerprinting, retrieving DBMS user session data, user enumeration, database dumping and collect password hashes, user privileges and access the file system (NOSEC, 2015).
These two tools above are recommended due to their rich variety of features, ease of use, powerful execution engines, popularity, and compatibility with all major database systems.

Role played by different database systems in the SQL injection attack steps.

Different database systems react in different ways to SQL injection attacks. In this regard, prior knowledge on the type of database system is critical so as to outline the SQL attack steps to use. For example, on Oracle databases, SQL injection can be performed by adding UNION statements to the existing statement in order to execute the second statement. SUBSELECT statements can also be added to the existing statements. If Data Definition Language (DDL) has been applied to a dynamic SQL string, then DDL statements can be injected. Other statements that can be used include UPDATE, DELETE, and INSERT.
In MySQL databases, it is not easy to perform SQL injection since MySQL does not return error messages when invalid input is inserted. MySQL also has an inbuilt function that replaces single quotes used in queries with escaped single quotes thus preventing SQL injection. The only way to exploit MySQL databases is to take advantage of laxity in input validations and poor coding practices. In Microsoft SQL Server, SQL injection involves modification of SQL statements and checking for OLE DB errors to identify vulnerabilities (EC-Council, 2010).
Security controls that E-shopping4u.com could have used to mitigate SQL injection risks.
In order to mitigate the risks associated with SQL injection E-shopping4u.com could have applied several measures such as setting up input validation such that users cannot enter any kind of data on their user registration and input forms. This could have involved either whitelisting or blacklisting allowed and disallowed characters/character sequences respectively. In blacklisting, culprit/malicious characters are removed or replaced during input. Whitelisting, on the other hand, involves examining each character input by the user and comparing it against a list or permitted characters. The whitelist approach is highly effective since the user is not allowed to proceed with submission until the malicious character is removed, unlike blacklisting where character detection is determined when during form submission.
The second control that the site could have used is to minimize security privileges such that only a very small subset of users has maximum privileges to manipulate the database. In Susan’s case, this seems to have been absent since she was able to login from a remote unidentified host and easily access the database.
In the absence of these controls, Susan could still have found other vulnerabilities on the site by exploiting vulnerabilities in poorly coded procedures, use of DDL, and taking advantage of inconsistent coding standards.

References:

Cisco,. (2015). Understanding SQL Injection. Cisco. Retrieved 5 March 2015, from http://www.cisco.com/web/about/security/intelligence/sql_injection.html
EC-Council,. (2010). Ethical Hacking and Countermeasures: Web Applications and Data Servers - Volume 3 (1st ed.,). New York: Cengage Learning. Retrieved from http://index-of.es/eBooks/Ethical%20Hacking%20and%20Countermeasures-%20Web%20Applications%20and%20Data%20Servers%20-%20EC-Council.pdf
NOSEC,. (2015). Pangolin « NOSEC Information Security Tools Provider. Nosec.org. Retrieved 5 March 2015, from http://www.nosec.org/en/productservice/pangolin/
Sqlmap.org,. (2015). sqlmap: automatic SQL injection and database takeover tool. Sqlmap.org. Retrieved 5 March 2015, from http://sqlmap.org/