UNIT IV

DATABASE SECURITY
Need for database security – SQL Injection Attacks – The Injection Technique – SQL
Attack Avenues and Types

4.1 Need For Database Security

Database security
Security of databases refers to the array of controls, tools, and procedures designed to
ensure and safeguard confidentiality, integrity, and accessibility.
Security for databases must cover and safeguard the following aspects:
1. The database containing data.
2. Database management systems (DBMS)
3. Any applications that are associated with it.
4. Physical database servers or the database server virtual, and the hardware that runs it.
5. The infrastructure for computing or network that is used to connect to the database.
Database Security Importance
o Intellectual property that is compromised
o The damage to our brand's reputation
o The concept of business continuity (or lack of it)
o Penalties or fines to be paid for not complying
o Costs for repairing breaches and notifying consumers about them
Need
1. Physical Security:
 If the database server is on-premise, businesses should ensure that it is located in a
secure and climate-controlled environment.
 The area should have good security measures, such as protection with cameras, locks,
and the availability of security staff at all times.
 Extra protection should be given to storage facilities and physical assets.
 If the server is hosted by a cloud provider, businesses should examine if the provider
has expertise in database security and ensure that they have a good reputation.
2. Access Control
 Access control deals with authentication and authorization systems, meaning who can
access the database and which actions they can perform.
 Role-based security is a highly effective method to limit data access for a user.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 1

  Only a minimum number of users should have access to the database, and the level of
access granted should be at the minimum level.
 This means access should be restricted to the level that is necessary to do the job.
 This practice is crucial for organizations that make their database available to other
applications via API services.
3. Robust Authentication
 Authentication is a crucial aspect of any database as it prevents unauthorized access,
but choosing the relevant and strong type of authentication is an important decision to
make.
 There are multiple types of authentication that are implemented by the backend
developers, such as:
1. Single-factor authentication (SFA), the most basic type, is regarded as unsafe
because it does not provide any additional layer of security.
2. Two-factor authentication (2FA) is a better alternative to SFA, as it provides an
additional security layer and is used on many social media platforms.
3. Another alternative is multi-factor authentication (MFA), which could also be
used by developers.
 Database access should be allowed only through validated IP addresses, as this will
reduce the risk of data breaches and it is relatively tougher to copy an IP address.
4. Encryption
 Whether it is moving data or storing sensitive user information, encryption is essential.
 It defends against any ransomware attacks as well as helping to stay compliant
with GDPR guidelines.
 All data should be encrypted with the best methods, so even if cybercriminals get hold
of the data, that information would still be safe.
 All database connections should be encrypted using Transport Layer Security (TLS),
which will protect the data in transit. The column-level encryption could also be used to
protect the most sensitive data fields.
 Lastly, backend developers should also encrypt disks that contain data stores.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 2

5. Regular Backups
 Just like how website data is backed up, the developers should also create backups of
the database.
 This is essential, as regular backups could mitigate the risk of losing sensitive
information due to any circumstances, such as data corruption or a system failure.
 The backups should also be tested periodically to ensure they perform as expected.
 The data should be able to be restored from the backup without any issues.
 This way, the developers would be able to confirm that the backup works.
6. Regular Database Audit
 Database monitoring should be enabled and performed regularly.
 All the logins to the database server should be recorded and sent to a secure place. Any
operation performed on the sensitive data should also be logged.
 Activities could include user logins, data modifications, and query executions.
 Auditing requires proper documentation of all the above activities.
 Moreover, on any unauthorized access attempt or suspicious act, immediate alerts
should be sent to the database administrators.
7. Update Applications
 A verified database management software should be used and updated to the latest
version.
 The latest patches should be installed too.
 It is a safe choice to not use any plugins, and third-party applications that do not receive
regular updates.
 Outdated applications or plugins pose a major security threat as they have low security,
which the attackers could easily overcome and affect the database.
 Interesting data, according to Synopsys, shows that in 2023, 89% of codebases did not
contain any updated components for more than 4 years.
 This makes it clear that updated applications are a must.
8. Use Firewalls
 Firewalls seem like a good choice to add a layer of security to the database.
 A firewall does not allow access to any traffic, but it also needs to prevent the database
from initiating any outbound connections unless absolutely necessary.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 3

  Along with a database firewall, a web application firewall should also be deployed.
 This is done to prevent attacks such as SQL injection directed at the web application.
 Not to mention that, just like the application updates, the firewall should be updated to
the latest version.
9. Separate Database Servers
 Storing data on the same server as the website could expose the data to attackers if they
manage to hack the admin account on the web server.
 To prevent this, the web server and the database server should be separated.
 This way, the attackers could not access the database even if the admin account was
compromised.
 When the web server and the database server need to communicate, developers should
ensure that there is a limit to the operations that are necessary to be successful.
 Using the practice of access control would help here.
 By using Security Information And Event Monitoring (SIEM), organizations could take
immediate action on an attempted breach in real-time.
 SIEM is dedicated to database security.
10. Separate Tests from Production
 Test environments should be separated from production environments because attackers
could get hold of any sensitive data in the testing environment, which might be less
secure than the production environment.
 Ensuring that there is a testing environment with no real production data and separate
roles and permissions from a production environment helps in protecting the production
database.
 Even the developers should not get access to the production database if it is not
necessary.
 Moreover, a standard procedure should be followed to move the database from testing
to production.
 Regardless, any bugs or security issues have to be managed.

4.2 SQL Injection Attacks

 A SQL injection (SQLi) is a technique that attackers use to gain unauthorized access to a
web application database by adding a string of malicious code to a database query.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 4

  A SQL injection manipulates Structured Query Language code to provide access to
protected resources, such as sensitive data, or execute malicious SQL statements. When
executed correctly, a SQL injection can expose intellectual property, customer data or the
administrative credentials of a private business.
 SQL injection attacks can be used to target any application that uses a SQL database,
with websites being the most common prey. Common SQL databases
include MySQL, Oracle and Microsoft SQL Server.

SQL injection attack work

 A SQL query is a request for some action to be performed on an application database.
 Queries can also be used to run operating system commands.
 Each query includes a set of parameters that ensure only desired records are returned
when a user runs the query.
 During a SQL injection, attackers exploit this by injecting malicious code into the query's
input form.
 The first step of a SQL injection attack is to study how the targeted database functions.
 This is done by submitting a variety of random values into the query to observe how the
server responds.
 Attackers then use what they've learned about the database to craft a query the server
interprets and then executes as a SQL command.
 For example, a database may store information about customers who have made a
purchase with customer ID numbers. Instead of searching for a specific customer ID, an
attacker may insert "CustomerID = 1000 OR 1=1" into the input field. Since the
statement "1=1" is always true, the SQL query would return all available customer IDs
and any corresponding data. This enables the attacker to circumvent authentication and
gain administrator-level access.
Types of SQL injection attacks:

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 5

In-band SQLi (classic SQLi)
 In-band SQLi is when hackers use the same channel -- or band -- to launch database
errors and to collect the results from an attack.
 In-band SQLi is most commonly achieved through two methods:
1. Error-based injection techniques force the database to produce error messages that
reveal information about the structure of the database.
2. Union-based attacks use prepared statements that exploit the SQL union function,
which combines the results of multiple queries into one result.
Inferential SQLi (blind SQLi)
 Inferential SQLi is when hackers send data payloads to a database server to observe its
response and behavior without being able to see what is occurring within the database.
 The server's response provides attackers with clues that they can use to adjust their attack
strategy.
 Inferential SQLi can be either Boolean-based or time-based. Boolean SQLi uses true or
false statements to solicit a response, while time-based SQLi sets a designated response
period.
Out-of-band SQLi
 Out-of-band SQLi is when hackers take advantage of domain name system or Hypertext
Transfer Protocol requests to retrieve data.
 Out-of-band SQLi is usually only performed when a web server is too slow or when in-
band SQLi is not possible to execute.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 6

SQL Injection Attack Be Detected And Prevented
 SQL injection attack is successfully carried out, it could cause extensive damage by
exposing sensitive data and damaging customer trust. That's why it is important to detect
this type of attack in a timely manner.
 Web Application Firewalls (WAFs) are the most common tool used to filter out SQLi
attacks. WAFs are based on a library of updated attack signatures and can be configured
to flag malicious SQL queries in web applications.

To prevent a SQL injection attack from occurring, businesses can follow these
practices:
1. Train employees on prevention methods--
 It's important that IT teams -- including DevOps, system administrators and
software development -- receive proper security training to understand how SQLi
attacks happen and how they can be prevented in web applications
2. Don't trust user input--
 Any user input provided in a SQL query increases the likelihood for a successful
SQL injection.
 The best way to mitigate this type of risk is to put security measures around user
input.
3. Use an allow list instead of a block list--
 Validating and filtering user input via an allowlist, as opposed to a blocklist, is
recommended because cybercriminals can usually bypass a blocklist.
 This is because a blocklist includes a list of all the applications or executables that
might pose a threat to the network.
 Therefore, everything on the network can operate besides the items on the
blocklist.
 Unfortunately, thousands of new malware and virus samples are created every
day, and it's impossible for administrators to keep the blocklists updated with
newer attack variants and zero-day vulnerabilities, so a security breach is entirely
possible before the list is updated.
4. Perform routing updates, and use the newest version of applications--
 One of the most common SQL injection vulnerabilities is outdated software.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 7

  Not only is older technology unlikely to have built-in SQLi protection, but
unpatched software is also often easier to manipulate.
 This includes programming languages, too.
 Older languages and syntax are more vulnerable.
 For example, use PHP Data Objects as a substitute for older MySQL.
5. Use validated prevention methods--
 Query strings written from scratch offer insufficient protection against SQLi.
 The best way to protect web applications is through input validation, prepared
statements and parameterized queries.
6. Perform regular security scans--
 Regularly scanning web applications catches and remedies potential
vulnerabilities before they do serious damage.
Some database administrators believe that a stored procedure statement can often aid in
the prevention of SQL injection attacks by restricting the types of statements that can be supplied
to its parameters. However, this doesn't prevent all exploits, as there are numerous workarounds
and intriguing statements that can still be provided to stored procedures.
The impact of SQL injection attacks for your business
SQL injection attacks can seriously harm a business or organization. The negative effects could
include the following:
1. Cybercriminals could gain unwanted or administrative access to private information and
resources.
2. Potential data breaches can occur as a result of unauthorized access to resources.
3. The data can be altered, or entire database tables can be deleted by cybercriminals.
4. Database infiltration can enable threat actors to penetrate entire networks or systems.
5. Customers may lose trust in the business, which can ultimately result in decreased
revenue.
6. It may take time and resources to recover from the attack and implement new security
measures to prevent future incidents.
7. While the immediate effect of a successful SQL injection attack may be difficult to
quantify, the long-term damage caused by reputation loss, legal costs and lost business
opportunities can have far-reaching consequences.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 8

 A few well-known companies that have experienced SQL injection attacks include
Target, Yahoo, LinkedIn, Sony Pictures and 7-Eleven.
Examples of SQL injection attacks
There are numerous SQL injection vulnerabilities, attacks and strategies that can occur in
a variety of settings.
The following are some common SQL injection examples:
1. Changing SQL query: To retrieve hidden data, a SQL query can be changed by
cybercriminals to reveal additional information.
2. Login bypass: To get around authentication and access the program or website, a hacker
can inject a SQL command into a login form.
3. Undermining application logic: This is where a cybercriminal alters a query to obstruct
the logic of the application.
4. Union attacks: These attacks enable the retrieval of data from many database tables.
5. Database analysis: This is where the cybercriminals analyze the database to glean
information about its version and structure.
6. Blind SQL injection: During a blind SQL injection, no error messages are received from
the database.
7. Distributed Denial Of Service (DDoS) attacks: During this attack, an attacker injects a
SQL statement to generate a DoS or DDoS attack, overwhelming a system.
The following are some examples of real-life SQL injection vulnerabilities:
1. Tesla vulnerability: In 2014, security researchers revealed that they were able to
penetrate Tesla's website via a SQL injection, get administrative privileges and steal user
data.
2. Fortnite vulnerability: Fortnite is a popular online game with over 350 million players.
A SQL injection vulnerability was discovered in 2019 that could enable attackers to
access user accounts. However, this vulnerability was patched.
3. Cisco vulnerability: A SQL injection vulnerability in Cisco Prime License Manager was
discovered in 2018. The flaw enabled attackers to get shell access to computers where the
license management was installed. Cisco has addressed the issue.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 9

4.3 The Injection Technique
1. Unsanitized Input:
 Attackers can exploit vulnerabilities in web forms, URL parameters, or other
input fields by inserting SQL code into them.
 For example, an attacker might input ' OR '1'='1 into a login form, causing the
SQL query to return true for all records and potentially granting them access to
the system.
2. SQL Keywords and Operators:
 Attackers can use SQL keywords and operators such as OR, AND, UNION,
SELECT, INSERT, UPDATE, DELETE, and others to modify the behavior of
SQL queries.
 By carefully crafting input strings, attackers can manipulate the query logic to
achieve their goals.
3. Commenting:
 Attackers can use SQL comment characters (-- in most databases) to comment out
parts of the original query and append their own malicious code.
 This can help them bypass input validation and execute arbitrary SQL commands.
4. Error-Based Injection:
 Attackers can exploit error messages generated by the database to gather
information about the structure and contents of the database.
 By injecting code that triggers SQL errors, attackers can learn valuable
information that helps them further refine their attack.
Preventing SQL injection requires implementing proper input validation and sanitization
techniques, such as using parameterized queries, prepared statements, or stored procedures.
Additionally, employing principle of least privilege, ensuring proper user authentication and
authorization, and regularly updating and patching software can help mitigate the risk of SQL
injection attacks.
4.4 SQL Attack Avenues and Types
 A SQL attack, or SQL injection attack, is a type of cyber attack that exploits
vulnerabilities in software applications that interact with SQL databases.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 10

  In SQL injection attacks, malicious actors insert or "inject" malicious SQL code into
input fields or parameters of an application, which is then executed by the database
server.
 The primary objective of SQL attacks is to manipulate the behavior of the database
system in unintended ways, potentially allowing attackers to access, modify, or delete
sensitive data, bypass authentication mechanisms, or even take control of the underlying
server.
 SQL injection attacks can have serious consequences, including data breaches,
compromise of sensitive information, financial losses, and damage to the reputation of
affected organizations.
 Preventing SQL attacks involves implementing secure coding practices, such as input
validation and parameterized queries, as well as conducting regular security audits and
penetration testing to identify and address potential vulnerabilities in software
applications
 SQL attacks, particularly SQL injection attacks, exploit vulnerabilities in applications
interacting with SQL databases. These attacks come in various avenues and types, each
presenting unique challenges and potential consequences.
Avenues:
1. Web Forms:
 Attackers exploit input fields in web forms, such as login forms or search bars, by
injecting malicious SQL code.
 When submitted, this code manipulates the SQL queries executed by the
application, potentially compromising the database.
2. URL Parameters:
 Attackers manipulate URL parameters by injecting SQL code into them. This
manipulation can exploit vulnerabilities in the application's handling of input
parameters, allowing attackers to execute arbitrary SQL commands.
3. Cookies:
 Attackers inject SQL code into cookie values, exploiting weaknesses in the
application's authentication or session management mechanisms.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 11

  By manipulating cookies, attackers can gain unauthorized access or manipulate
data stored in the database.
4. HTTP Headers:
 HTTP headers exchange additional information between clients and servers in
web applications.
 Attackers may inject SQL code into headers to exploit vulnerabilities in the
application's request handling or response processing logic.
Types:
1. Classic SQL Injection:
 Attackers input SQL commands into input fields or parameters to manipulate
database queries.
 For example, inputting ' OR 1=1 -- in a login field could bypass authentication.
2. Blind SQL Injection:
 Attackers infer information about the database without receiving direct feedback
from the application.
 Techniques include timing-based or Boolean-based queries to discern database
structure or contents.
3. Error-Based SQL Injection:
 Attackers exploit error messages generated by the database to gather information
about its structure or contents.
 Injected code triggers SQL errors, revealing valuable insights for refining the
attack.
4. Union-Based SQL Injection:
 Attackers use the UNION operator to combine results from multiple queries.
 By injecting a crafted SQL statement, they can retrieve data from other tables or
databases.
5. Second-Order SQL Injection:
 Attackers inject SQL code into an application, which is stored in the database and
executed later.
 This delayed execution makes detection and mitigation challenging.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 12

 6. Out-of-Band SQL Injection:
 Attackers interact with external systems by exploiting vulnerabilities in the
application.
 They bypass traditional data exfiltration methods, posing additional challenges for
detection and mitigation.
Uses:
SQL attacks are typically employed by malicious actors for various nefarious purposes,
including:
1. Data Theft:
 Attackers may use SQL injection to steal sensitive information stored in
databases, such as personal or financial data, usernames, passwords, or credit card
numbers.
 This stolen data can be used for identity theft, financial fraud, or sold on the black
market.
2. Unauthorized Access:
 SQL injection attacks can bypass authentication mechanisms, allowing attackers
to gain unauthorized access to restricted areas of an application or system.
 This unauthorized access can be used to view, modify, or delete sensitive data, or
to perform further attacks within the system.
3. Data Manipulation:
 Attackers may manipulate the data stored in a database through SQL injection,
altering records, inserting malicious content, or deleting important information.
 This can disrupt business operations, compromise data integrity, and cause
financial or reputational damage to organizations.
4. Application Defacement:
 SQL injection attacks can be used to modify the content displayed by an
application, defacing web pages, displaying offensive or misleading content, or
injecting malicious scripts.
 This can tarnish the reputation of the targeted organization and erode user trust.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 13

 5. Database Takeover:
 In some cases, SQL injection attacks can lead to complete control over the
underlying database server.
 Attackers may exploit this access to execute arbitrary commands, create
backdoors for future access, or launch further attacks against other systems or
networks.
6. Credential Theft:
 SQL injection attacks can be used to extract usernames and passwords from
databases, compromising the accounts of legitimate users.
 These stolen credentials can then be used to gain unauthorized access to other
systems or services, perpetuating the attacker's reach.
Advantages and Disadvantages of SQL Injection Attacks:
Advantages:
1. Effectiveness: SQL injection attacks can be highly effective, especially when targeting
vulnerable applications. They provide attackers with a direct route to manipulate
databases and access sensitive information.
2. Ease of Exploitation: SQL injection attacks are relatively easy to execute, requiring only
basic knowledge of SQL and the ability to identify vulnerable input fields or parameters
in web applications.
3. Versatility: SQL injection attacks can be used against a wide range of targets, including
websites, web applications, mobile apps, and backend databases. This versatility allows
attackers to exploit vulnerabilities across various platforms and technologies.
4. Data Extraction: Attackers can use SQL injection to extract large volumes of data from
databases, including sensitive information such as usernames, passwords, credit card
numbers, and personal details.
5. Stealthiness: SQL injection attacks can be difficult to detect, especially if they are
conducted in a subtle manner that does not trigger error messages or abnormal behavior
in the application.
Disadvantages:
1. Legal Consequences: Perpetrating SQL injection attacks is illegal and punishable by law
in most jurisdictions. Attackers caught engaging in such activities may face severe legal
consequences, including fines, imprisonment, or civil lawsuits.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 14

 2. Reputation Damage: Organizations that fall victim to SQL injection attacks may suffer
significant damage to their reputation and credibility. This can lead to loss of customer
trust, diminished brand loyalty, and negative publicity.
3. Security Risks: Exploiting vulnerabilities through SQL injection can expose sensitive
data and compromise the security of databases and applications. This poses a serious risk
to the confidentiality, integrity, and availability of information assets.
4. Financial Losses: SQL injection attacks can result in financial losses for affected
organizations, including costs associated with data breach remediation, regulatory fines,
legal fees, and loss of business opportunities.
5. Countermeasures: As awareness of SQL injection vulnerabilities grows, organizations
are increasingly implementing countermeasures to protect against such attacks. This
includes adopting secure coding practices, implementing web application firewalls, and
conducting regular security audits and penetration tests.

Prepared By: SHURITHI.S, AP/CYBERSECURITY, Mahendra Engineering College 15