In general, the injection techniques can be summarised in two main categories, the first one is the manual technique which can be done using the mentioned attacks types that are discussed in the previous section. Success of this injection type depends on the attacker’s experience and the security level of the target web application. The detection techniques used to detect this type of attacks depend on the detection of the user input, or in other words it depends on the detection of the injection paths which can be summarised as follows:
Inputting data by using a parameter
Chapter 2 - Background and Related Works
32
Inputting data by using hidden field
Inputting data by tampering the http header
Inputting data by poisoning the application cookies (Livshits, Lam 2005).
The other type of the injection attacks are automated SQL injection using one of the existed injection tools that are used to attack web application. In the next section some of these tools will be discussed.
2.6.1. SQL Injection Tools
Several automated injection tools have been used for attack, as a tool is easier to use than the manual attack, the attacker just gives the basic information that is required by the tool and waits till the tool retrieves the attack result whether it is successful or not. Many tools have been created; some of them are primitive tools and only can be used to attack specific database or to execute a prepared injection procedure. Other tools can attack any database type and can be used to execute different injection attacks.
One of the primitive tools is SQLdict which can be used with MS SQL server only. This tool needs some values to start, the IP address and the SQL account of the victim in addition to loading of a password dictionary. If the injection attack runs successfully, the tool returns the password of this account.
Figure 3 shows an example of how an SQL account ‘sa’ is attacked by the SQLdict tool; the tool has returned the password value of this account.
Chapter 2 - Background and Related Works
33
The weakness of this tool is that it is limited to one database engine type and it can only search for the password of known SQL accounts in the password dictionary that is loaded by the tool (SQLdict Tool 2008).
Another SQL injection tool is SQLIer which can be used to attack MYSQL type of database. In general, this tool attacks a vulnerable URL and tries to find out some information about vulnerable components to create an SQL injection template and start exploiting it. The common use of this tool is to find the password of the database based on the Union query attack. SQLIer runs using the following command:
sqlier [option like –u for username , -o to crack password to file, ..etc ] [URL]. This tool is better than SQLdict tool as there is no dictionary to find the password in.
Chapter 2 - Background and Related Works
34
However, both tools are still primitive as they can only be used for injection of specific database type and execute specific injection attack (SQLIer 2006).
One of the more sophisticated SQL injection tools is SQLmap as it has many features that can be summarized as follows:
Can attack different type of databases like Oracle, MYSQL, etc.
Support different types of SQL injection techniques such as blind injection, Union query and others.
Searching for specific database name, table or column and finds the relevant name that contains a string of user name and password.
Establishing an interaction channel between the attacker pc and the DB server using TCP connection (SQLmap 2012).
Use of the SQLmap tool is similar to the previous tool as it needs some information to starts like the target server address. Then, it can start attacks or test the web application for SQL injection vulnerable components. However, SQLmap has more features and better performance and it is not limited to one database type like the primitive tools.
There are also many other tools like SQLSmack for MYSQL and OracSec for oracle database, each one has its advantage and limitation depending on the type and environment of use.
The mentioned tools have been produced as result of many studies for the detection of vulnerable components of web applications. Moreover, before discussing these studies an important point should be discussed which is the false positives and false
Chapter 2 - Background and Related Works
35
negatives problem in the detection result. The next section will highlight those points in addition to clarifying the differences between them.
2.6.2. False Positive and False Negative
False positives are “when a tool reports incorrectly that a vulnerability exists, when in fact one does not”. Differently, the false negatives are “when a tool does not report that a vulnerability exists, when in fact one does” (Clarke 2012). Therefore, the most dangerous types of the checking result are false negatives. Some of the existing studies measure the success of their approaches by checking the percentage or the rate of the false positives and the false negatives in their result as one of the evaluating criteria. For example, (Jovanovic, Kruegel et al. 2006) mentioned that there are no false positives produced by their checking model, (Halfond, Orso 2005) said that their approach only produced false positives in two cases and they have specified those cases. Thus, if there is a high rate of false positives or negatives in a specific study comparing with other studies that means the technique of the study that have less numbers of false positives or negatives is more accurate than the other one.
In the next sections the different types of existing detection techniques will be highlighted.