Mechanisms and intentions of SQL Injection Attack Essay

An SQL Injection Attack (SQLIA) can be defined as subset of the unproven and unsanitized data vulnerability which happens when a malicious hacker tries to modify the logic, definition or language, and behaviour of a SQL statement which is generated dynamically by entering extra SQL keywords and operators into the statement with the help of query string in the URL or HTML form values.

Mechanisms and intentions of Sql Injection attacks

The vulnerable applications are always a source for the attackers to inject Malicious SQL queries using various mechanisms. The mechanisms can be classified as follows

User input The malicious users inject sql queries by giving appropriately formulated user input. The input can be read by the web application in various ways and entirely depends on the environment it is deployed. In most of the cases, the web application receives user input from the forms which are sent to application using http get or post requests.

SQL injection via cookies The clients data state information is usually stored in cookies and the data is returned to a web application using these cookies. The client has a grip on the cookie storage and as a result a vulnerable client could hack the details and cookie contents. The hacker would easily attack the web application by inserting malicious code in the cookies if the application employs cookies to construct Sql queries.

SQL injection via server variables The variables consisting of HTTP, environment variables and network headers are considered as Server variables. The server variables are utilized by the web applications like verifying browsing patterns, logging information .If the variables are inserted into database for logging purpose without proper validations then it can lead to SQL injection attacks. The attackers can fabricate the data present in the headers of HTTP and Network and inject the SQL vulnerability by directly inserting the values in them. The attack is provoked when the sql query is inserted to the database.

Injections Second order In this type of attacks the malicious user seeds vulnerable inputs to the database. This will result in an SQL injection attack to take place when this input is used in future. The intention of this mechanism contrasts with regular attacks where the attack doesnt trigger when the vulnerable input reaches the system initially. The attacker depends on expertise of where the input will be employed. Based on that, they plan their attack such that it happens during that usage. These attacks are very tiresome to identify and avoid as the attack injection stage is distinctive from the attack phase. Though the developers escapes, checks the types and filter the input that arrives from the user, this data might be utilized in a different scenario or another context which will result in sql injection vulnerabilities.

Attacks can be classified in terms of intention of the attacker. The following are the intentions behind attack

Identifying database schema In order to fetch the data from a database appropriately, the attacker inclines to know information