- Pages: 7
- Word count: 1722
- Category: College Example Management
A limited time offer! Get a custom sample essay written according to your requirements urgent 3h delivery guaranteedOrder Now
SECTION 1 Introduction
As people learn to use the Web as a means of information dissemination, information security is indeed a vital issue to today’s corporate organizations and institutions. Although the Web provides an easy way of making information readily available, it is important to make sure that only those who are authorized are given access to the published data.
With the use of database in many applications, database security turns out to be a very necessary tool to protect classified information. It provides detection of inconsistent SQL commands and intruder identification to control database activities and secure access of information .
Applications with unsecured and poorly constructed database systems are very vulnerable to malicious attacks such as unauthorized data access and alteration. This paper will be introducing two of the most common attacks on databases, namely SQL injection and privilege escalation. It will also cover the corresponding defenses against these attacks specifically parse tree validation and privilege escalation protection.
SECTION 2 Background
Many of the present systems have shifted from mainframe-based to client/server-based framework . The integration of database systems on online services and web applications has contributed greatly on fast and efficient data transfer and manipulation. However, it has also posed serious threats on the security of classified information and resources contained in the system.
Most databases are designed in such a way that they can be penetrated by attacks but it does not imply that they cannot be made appropriately protected. Database vulnerabilities are often due to programming errors, poor database architecture and weak encryption systems, configuration errors and incorrect usage of developer tools . The database administrator must be able to know that there are ways to prevent these vulnerabilities in order to make the database secure.
SECTION 3 SQL Injections
Web applications with databases employ precautions by using firewalls to secure information. However, firewalls do not guarantee ultimate security because there are attacks which can bypass firewalls such as SQL injections.
SQL injections do not directly target the core database. It is done by inserting SQL statements in web forms such as text fields. Once the form is submitted, the SQL commands will be passed to the database and will then be executed . This attack allows the hacker to retrieve, manipulate or even delete information from the database without undergoing proper user authentication.
One simple application of SQL injection is bypassing log-in web forms where the user has to input his username and password to access the succeeding web pages.
A typical authentication JSP script  would look like this:
txtuser = request (“User”)
txtpassword = request (“Password”)
set conn = Server.CreateObject (“ADODB.Connection”)
set rs = Server.CreateObject (“ADODB.Recordset”)
SQLQuery = “select * from users where password = ‘” & txtpassword & “’
and user = ‘” & txtuser & “’”
Rs.open SQLQuery, Conn
If rs.eof and rs.bof then
To evade this authenticating script, the hacker needs to enter the following in the text fields:
Log-in: ‘ or ‘1=1’
If submitted, this input will generate the following SQL statement:
Select * from users where password = ‘test’ and user = ‘’ or ‘1’=’1’
The hacker here inserted a Boolean expression ‘1’=’1’ which obviously will evaluate the SQL statement to TRUE. This will enable him to successfully log-in into the website and access records returned by the SQL statement.
Another example of SQL injection technique used by hackers is using the UNION statement. This attack can enable the hacker to gain access to other tables even if they are not related to the current query that he is accessing.
A typical query page in ASP(Active Server Pages) would look like this:
Sql = “SELECT * FROM BOOKS WHERE Title=’” & title & “’”
Set rs = Conn.OpenRecordset(sql)
The hacker can access the table containing the username and passwords of the users stored in the database through this query by inserting the following SQL statement in the query:
SELECT * FROM BOOKS WHERE Title=’test’ UNION select username, password from dba_users where ‘1’=‘1’
Again, the addition of the Boolean expression in the UNION statement makes the SQL command execute perfectly and would now return the table containing stored usernames and passwords.
SECTION 4 Privilege Escalation
Privilege escalation is an exploitation of programming errors in software applications in order to gain access to the system’s resources. This causes the attacker to achieve higher privileges than those intended for him .
One way of privilege escalation is by gaining administrative privileges even if the user is not an authenticated database administrator. In an internet banking system, a regular user can access administrative rights if inputs are not well validated.
Applications that are executed in command line or shell are vulnerable to shell injection if it uses an invalidated input in the executable statement . This gives the attacker the opportunity to run system commands without authorized privileges.
Another way in which privilege escalation can occur is when a user gains access to other users’ account without proper authentication. This problem occurs often in web applications when session ID’s can be easily predicted through HTTP cookies.
SECTION 5 Parse Tree Validation
A parse tree is a data structure representing a breakdown of elements in a particular statement . This can be used to determine if a malicious SQL code has been injected in a web form.
Consider the following SQL statement is the original query of the code:
SELECT * from usertable WHERE username = ? and password = ?
And suppose this statement is the hacker’s entry in the web form:
SELECT * from usertable WHERE username = ‘greg’ and password=’secret’ —‘AND password = ‘tricky’
Notice that their parse trees are obviously different from one another. From here, we can suspect that there is an anomaly in the user input (see Appendix A, Figure 1).
The system checks if the parse tree of the SQL statement in the original code matches with the parse tree of the resulting SQL statement upon submission of the form. If the two SQL statements did not match then there is a possibility that a hacker entered SQL scripts in the web form.
SECTION 6 Privilege Separation
The main problem that is found in privilege escalation is the lack of input or user authentication in accessing high system privileges. Privilege separation aims to lessen the quantity of instructions being performed with superior privileges . It splits the application into two parts: the first part runs with special privileges while the other runs without them.
Privilege separation presents a monitor-slave arrangement where the monitor is the privileged part and the slave the unprivileged one. In this set-up, the slave must submit a request to the monitor regarding any operation that would require special privileges. Prior to the request, the monitor has to validate it first. If the request is approved, the monitor executes the operation and sends the result to the slave . Even if there are programming errors in the unprivileged part of the application, the attacker cannot take advantage of these bugs since all special privileges are contained in the other part of the application.
SECTION 7 Analysis and Evaluation
The incorporation of databases with the present software applications has provided a great improvement considering efficient information processing. On the other hand, it also made today’s information systems vulnerable to security attacks thus making a large trade-off between information availability and data security.
Databases are always vulnerable to attacks thus it is important for database administrations to always check for loop holes that may endanger the information contained in the system. The attacks mentioned in this paper are merely few examples out of the many security threats discovered. It is necessary to examine the flow of data in the system and make sure that there is a secure wall between regular users and the core database. The system must ensure that information also is not being intercepted by unauthorized users.
Database security is a very important factor in the creation of software applications because it ensures that information is well protected from malicious attacks. It requires a deep understanding of database configurations as well as validation of user inputs.
SECTION 8 Summary
Database security deals with preventing prevalent attacks to databases of software applications. There are two common attacks mentioned in this paper. The first one is SQL injection which is done by inserting and executing SQL statements in web forms resulting to alteration of information in the database. The other attack mentioned is privilege escalation which takes great advantage on programming errors to acquire greater privileges in the system.
The paper also discussed defenses against these attacks. Parse tree validation are used against SQL injection by comparing parse trees of the intended SQL statement to the injected SQL command in the web form; a mismatch results in an anomaly thereby restricting access to the attacker. The other one is privilege separation which divides the application into privileged and unprivileged parts, in this manner, presence of programming errors in the system cannot be used to gain access to special system privileges.
 Application Security, Inc. . “Database Security a Key Component of Application Security.”
 Buehrer, Gregory T., Bruce W. Weide, and Paolo A. G. Sivilotti. “Using Parse Tree Validation to Prevent Sql Injection Attacks.” <ftp://ftp.cse.ohio-state.edu/pub/tech-report/2005/TR38.pdf>.
 Choudhury, Roshmi. “Sql Injections in Web Applications.” <http://hosteddocs.ittoolbox.com/RC021304.pdf>.
 Friedl, Markus, Peter Honeyman, and Niels Provos. Preventing Privilege Escalation. <http://www.citi.umich.edu/u/provos/papers/privsep.pdf>.
 Harper, Mitchell. “Sql Injection Attacks – Are You Safe?” (2002). <http://www.sitepoint.com/article/sql-injection-attacks-safe>.
 Koenig, Gregory A, et al. “Detection of Privilege Escalation for Linux Cluster Security.” (2004).
 Rahmel, Dan. “Database Security ” Internet Systems <http://www.governmentsecurity.org/articles/DatabaseSecurityPart1.php>.