Code Injection

Last week
• We discussed:
• Malicious Software (Malware)
• Ransomware
• Brute force attack
• Man-in-the-middle attack
• We conducted a brute force attack in the lab.
This Lecture
• We will discuss code injection attack
• SQL injection

• In lab 3, you will have the chance to conduct SQL injection attack.
What is code injection attack?
 What is software program?

Data
(e.g., username, password) output
input

Computer Software Program

Code
(e.g., java, node, SQL)
 What is software program?

Data
(e.g., username, password) output
input

Computer Software Program

Insight: Computers do not distinguish data

from code. The just execute instructions
Code that consist of (code + data).
(e.g., java, node, SQL)
 What if I turn the data
What is software program? into code?

Data
(e.g., username, password) output
input

Computer Software Program

Insight: Computers do not distinguish data

from code. The just execute instructions
Code that consist of (code + data).
(e.g., java, node, SQL)
 What if I turn the data
What is software program? into code?

Code
(e.g., java, node, SQL) output
input

Computer Software Program

Insight: Computers do not distinguish data

from code. The just execute instructions
Code that consist of (code + data).
(e.g., java, node, SQL)
 What if I turn the data to
What is software program? code?

Code
(e.g., java, node, SQL) output
input

Computer Software Program

Insight: Computers do not distinguish data

from code. The just execute instructions
Code that consist of (code + data).
(e.g., java, node, SQL)
What is code injection attack?
• A code injection is an where an attacker is able to inject malicious
code into a program or system, which is then executed by that
system.

• The goal of code injection can vary but often includes data disclosure,
data tampering, bypassing access controls, or executing malicious
actions on the server or client-side systems.
General Example of code injection?

Data
(1, 2) output
input

Computer

Code
(x + Y)
General Example of code injection?

Data
(1, 2) output
input

Computer
1+2

Code
(x + Y)
General Example of code injection?

Data
(1, 2) output
input 3

Computer
1+2

Code
(x + Y)
General Example of code injection? What if I turn the data
into code?

Data
(1, 2) output
input 3

Computer
1+2

Code
(x + Y)
General Example of code injection? What if I turn the data
into code?

Data
(1, 2 / 0) output
input

Computer

Code
(x + Y)
General Example of code injection? What if I turn the data
into code?

Data
(1, 2 / 0) output
input

Computer
1+2/0

Code
(x + Y)
General Example of code injection? What if I turn the data
into code?

Data
(1, 2 / 0) output
input Error

Computer
1+2/0

Code
(x + Y)
Types of code injections
• SQL Injection (SQLi): This occurs when an attacker is able to inject
malicious SQL queries into an input field of an application, which are
then executed by the database. It can lead to unauthorized access to
or manipulation of the database.
• Cross-Site Scripting (XSS): In this attack, malicious scripts are injected
into content that is then served to other users. When the malicious
content is executed, it can steal cookies, session tokens, or other
sensitive information from the users.
SQL injection
• What is SQL?
• SQL, which stands for Structured Query Language, is a standard programming
language specifically designed for managing and manipulating relational
databases.

• It allows users to perform various operations on a database such as querying

data, updating records, deleting records, and creating, altering, and dropping
tables.
SQL injection (SQL Review)
• Key operations in SQL include:
• SELECT: Fetches data from a database table.
• INSERT: Inserts new data into a database table.
• UPDATE: Modifies existing data within a table.
• DELETE: Removes data from a table.
SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

 SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

This is a Table. Let’s call it Students

SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

Each Table has rows represent Data in the database

SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

Each Table has columns represent Attributes in the database

 SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

Now, let us do some SQL operations on them.

1. We need Students data with Major = “Computer Science”
2. We need Students name with Major = “Computer Science”
3. We need to update Students’ Major from "“Computer Science” to “Software Engineering”
4. We need to delete Students with StudentID = 3.
5. We need to delete all the data.
SQL injection (SQL Review)
Retrieve Students Data with Major = "Computer Science”
To get the full data of students who are majoring in Computer Science,
you would use the following SQL query:

SELECT * FROM Students WHERE Major = 'Computer Science';

 SQL injection (SQL Review)
Retrieve Students Data with Major = "Computer Science"
To get the full data of students who are majoring in Computer Science,
you would use the following SQL query:

SELECT * FROM Students WHERE Major = 'Computer Science';

All attributes in Table name Conditions to

Operation Conditions compare value of
the table
To retrieve data statements start an attribute
from the here
database
SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

SELECT * FROM Students WHERE Major = 'Computer Science';

SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

SELECT * FROM Students WHERE Major = 'Computer Science';

SQL injection (SQL Review)
Retrieve Students Name with Major = "Computer Science"
To get just the names of the students who are majoring in Computer
Science:
SELECT FirstName, LastName FROM Students WHERE Major = 'Computer
Science';
SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

SELECT FirstName, LastName FROM Students WHERE Major = 'Computer Science';

SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

SELECT FirstName, LastName FROM Students WHERE Major = 'Computer Science';

SQL injection (SQL Review)
Update Students’ Major from "Computer Science" to "Software
Engineering"
To update the Major for students from "Computer Science" to "Software
Engineering":

UPDATE Students SET Major = 'Software Engineering' WHERE Major =

'Computer Science';
 SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

UPDATE Students SET Major = 'Software Engineering' WHERE Major = 'Computer Science';
 SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

Computer Science
1 Ahmed Alotaibi 2000-01-01
Software Engineering

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

UPDATE Students SET Major = 'Software Engineering' WHERE Major = 'Computer Science';
SQL injection (SQL Review)
Delete Student with StudentID = 3
To delete the student whose StudentID is 3:

DELETE FROM Students WHERE StudentID = 3;

SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

DELETE FROM Students WHERE StudentID = 3;;

SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

DELETE FROM Students WHERE StudentID = 3;;

SQL injection (SQL Review)
To delete all data from the Students table (without removing the table
itself), you would use:

DELETE FROM Students;

SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

DELETE FROM Students;

SQL injection (SQL Review)

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

DELETE FROM Students;

 SQL injection
• Now we want to preform SQL injection.
• Consider the SQL query used to retrieve students with a specific major:
• SELECT * FROM Students WHERE Major = 'Computer Science’;

• In real applications, Major might be an input provided from users:

• SELECT * FROM Students WHERE Major = '<user_input>’;
• SELECT * FROM Students WHERE Major = 'Computer Science’;
• SELECT * FROM Students WHERE Major = ‘Software Engineering’;
 SQL injection
• Now we want to preform SQL injection.
• Consider the SQL query used to retrieve students with a specific major:
• SELECT * FROM Students WHERE Major = 'Computer Science’;

• In real applications, Major might be an input provided from users:

• SELECT * FROM Students WHERE Major = '<user_input>’;
• SELECT * FROM Students WHERE Major = 'Computer Science’;
• SELECT * FROM Students WHERE Major = ‘Software Engineering’;

• Now What if user input is SQL statement?

• SELECT * FROM Students WHERE Major = '<user_input>’;
• SELECT * FROM Students WHERE Major = ‘XXXX’ OR 1=1; -- ‘
 SQL injection
• SELECT * FROM Students WHERE Major = ‘XXXX’ OR 1=1; -- ‘
 SQL injection
• SELECT * FROM Students WHERE Major = ‘XXXX’ OR 1=1; -- ‘
• Instead of providing a major like Software Engineering. Attacker provided
XXX’ OR 1=1; --
• XXX is the Major value. In this case it does not matter what you provide, could be
empty space. The attack could be ’ OR 1=1; --
• ’ used to close the Major value quotation to inject SQL statement next.
• OR is used to add additional condition for the WHERE condition. The goal is to make
the condition always evaluate to true.
• 1=1 this the condition that always evaluate to true.
• ; -- this is often added to ignore the other conditions, if any.
SQL injection

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

SELECT * FROM Students WHERE Major = 'Computer Science';

SQL injection

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

SELECT * FROM Students WHERE Major = 'Computer Science’;OR 1=1; --’

 SQL injection
• SELECT * FROM Students WHERE Major = ‘XXXX’ OR 1=1; -- ‘
• This attack could impact confidentiality
• The name of this SQL injection attack is Tautology Based Injection
• This involves injecting a tautology (a statement that is always true, such as 1=1) into a
query to manipulate its logic. For example, an attacker might add OR 1=1 to a
conditional statement to bypass authentication or retrieve additional data.
 SQL injection
• SELECT * FROM Students WHERE Major = ‘XXXX’ OR 1=1; -- ‘
• This attack could impact confidentiality
• The name of this SQL injection attack is Tautology Based Injection
• This involves injecting a tautology (a statement that is always true, such as 1=1) into a
query to manipulate its logic. For example, an attacker might add OR 1=1 to a
conditional statement to bypass authentication or retrieve additional data.

• Another SQL injection attack type is Piggy-Backed Queries

• Piggy-backed queries involve appending additional queries to the original query
using a semicolon (;). This allows attackers to execute multiple statements within a
single query string, potentially giving them unauthorized access to modify or delete
data.
 SQL injection
• Piggy-Backed Queries:
• Consider the SQL query used to retrieve students with a specific major:
• SELECT * FROM Students WHERE Major = '<user_input>’;
• What if the user provide ’; DELETE FROM Students; --
• The query will be SELECT * FROM Students WHERE Major = ' ’; DELETE FROM
Students; --’
• Two query will be executed:
• SELECT * FROM Students WHERE Major = ‘ ’;
• DELETE FROM Students; --’
SQL injection

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

SELECT * FROM Students WHERE Major = 'Computer Science';

SQL injection

StudentID FirstName LastName BirthDate Major

1 Ahmed Alotaibi 2000-01-01 Computer Science

2 Abdulaziz Ansaris 1999-05-15 Mathematics

3 Khalid Aziz 2001-03-22 Physics

SELECT * FROM Students WHERE Major = ' ’; DELETE FROM Students; --’
SQL injection vulnerabilities
• SQL injection vulnerabilities occur when an application insecurely
accepts user input that is directly included in SQL statements without
proper validation or sanitization. This can allow attackers to
manipulate SQL queries and potentially access or modify data in ways
not intended by the application developer.
Where is the SQL injection vulnerabilities?
Where is the SQL injection vulnerabilities?
Accepts user input that is
directly included in SQL
statements