Time-based Blind injection attacks and Countermeasures

A CSR or Certificate Signing request is a block of encrypted data that is generated on the server that the certificate is going to be used on. It contains information that will be needed to generate your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually generated while you create the CSR.

A certificate authority can use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a CSR will only work with the private key that was generated with it. Hence if you lose the private key, the certificate will no longer work.

Contents

Common Name (CN): The fully qualified domain name (FQDN) of your server.
Organization (O): The legal name of your organization.
Organizational Unit (OU): The division of your organization handling the certificate.
City/Locality (L): The city where your organization is located.

SQL being one of the oldest vulnerability to exist in the security domain can be used to leverage other attacks namely Authentication bypass, tamper with the data’s in the database, modify or delete them etc. As most of us are already aware of the classic SQL injection, in this article we will explore a different class of this injection known as Time Based Blind SQL injection attacks.

In a Blind SQL injection (also known as Inferential SQLi) an attacker is able to reassemble the structure of the database by sending additional payload along with the existing SQL query and finally analyzing and observing the behavior of the database server. Thus an attacker might not be able to directly get a final answer or sensitive information from the database, however a fair idea about a particular situation exist or not can be made out through it. Moving a step forward, Time Based SQL injections are used when every other possible outcomes fail. In this kind of SQL injection a heavy SQL payload segment is combined with the original query and the response time for the modified query is observed or analyzed thereby deducing some form of information from/about the database. This type is particularly used when the generic blind SQL injection fails and can be used to determine whether a particular vulnerability exists or not. To retrieve information from a database time delay is integrated in a condition SQL statement and thereby ask a question yes/no to the database. Now depending whether the condition will be executed or not the response from the server will be quite abnormally long but the time delay would be executed even then. In this way the attacker would get to know whether that particular condition in that time delayed query was true or false. Depending on the type of Database below are the few conditional statements for different databases.

Time-based SQL attack in MySQL database:

Testing for time-based injections is quite simple. All we need to do is to integrate a time delay function ( eg. SLEEP() or BENCHMARK() ) with the SQL statement. For eg. The below query could be used to identify if SQL injection persists for the particular parameter in the query statement

                   SELECT * FROM products WHERE id=1-SLEEP (15)

If the above SQL statement executes with a time delay, then it would mean that MySQL database server is used. Furthermore to get more information or to extract some data from the database, the time delay function can be integrated inside a conditional statement as given below.

                  SELECT * FROM products WHERE id=1-IF(MID(VERSION(),1,1) = '4', SLEEP(20), 0)

In this statement if the servers responses not before 20 seconds, then we can conclude that the database used is MySQL and the version is 4.Thus we are able to get the version of the database just by incorporating a simple SLEEP () function in the SQL statement.

Preventing Time-based SQL injection:

As mentioned above time-based SQL injection a sub category of SQL injection and preventing it is no different than that of SQL injection. First and foremost parameterized queries (prepared statements) should be used. To achieve this the Web Application needs to be completely isolated from the SQL database using stored procedures, like JDBC’s CallableStatement or ADO's Command Object. Other than this timely vulnerability analysis must be done using automated tools like IBM app scan, ZAP proxy, add-ons in tools like BURP suite are also available for detecting SQL injection of different type.

Pros and Cons of Time-based attacks:

When compared to error-based SQL injection, this type does not affect the logs or even if it does it has little to no impact. However when heavy queries are used the administrator might realize that something is going on.

While testing web application server load and issues like network speed can prove to be fatal, so one needs to pause the query long enough to make sure that these factor do not falsify the result. However to combat this issues we might use a short time delay, but that will again be difficult as no exact time delay can be injected.

References:

https://www.acunetix.com/websitesecurity/blind-sql-injection/

https://searchsecurity.techtarget.com/tip/Preventing-blind-SQL-injection-attacks

Authored By - Sayan Upadhyay
TCS Cyber Security Practice

 

Rate this article: 
Average: 5 (8 votes)
Article category: