Game of Thrones: the SQL

Posted on Apr 12, 2019

Winter has arrived - both in Game of Thrones and cybersecurity. Increased severity and number of data breaches mimic the rise of the White Walkers. So, in honor of the start of its last season, we present to you the Game of Thrones Friday Series where each week (of the season) we will select one of the remaining Great Houses and see how it compares to cybersecurity’s top threats of today.

First up: House Stark and SQL injection

What is SQL?

Structured Query Language (SQL) is a coding language used by many web-based databases and servers. As a coding language, SQL enables programmers to organize information and put it into readable tables that make sense to users.

In other words, SQL as a coding language is necessary for using web-based applications meaningfully. At the beginning of Game of Thrones, The North, ruled by the Stark house, was a peaceful contribution to the balance of the seven kingdoms and not inherently dangerous, just like SQL code.

What is a SQL injection?

One of the oldest and least sophisticated cyber attacks, SQL injections take advantage of web page security weaknesses. The malicious code infiltrates databases by replacing traditional login code in web applications so that when users enter their name/ID and password, the cybercriminals can obtain access to the databases.

Throughout the series, many of the Starks develop the characteristics resembling a SQL injection. An SQL injection plainly put, disguises itself as the web application’s login. And while they may look benign to the untrained eye, SQL injections use this surface-level innocence to carry out nefarious and dangerous attacks.

The Stark who resembles this best is Arya. She hides in plain sight many times throughout her quest to get back to Winterfell from Southern House Lannister. She disguises herself as a cup bearing boy to Roose Bolton to avoid death. Then, she wreaks havoc later under the guidance of Jaquen H’ghar where she learns to be a stealth threat not to be reckoned with.

How does a malicious SQL code work?

SQL injections are dangerous primarily because SQL is a database language that provides access to and manipulation of databases. The standard coding allows users to retrieve, update, and remove data. Many database servers use SQL commands to execute activities within them, including Microsoft SQL Server 2000. Just like Arya hid both as a boy and as an assassin in service to the Many-Faced God, SQL injections can either infiltrate or assassinate databases.

1=1 SQL Injection: Disguised in Plain Sight

When creating database code, particularly for web-based applications, programmers need to establish algorithms that match users to their passwords. A 1=1 attack exploits vulnerabilities in the user tables, the code that matches people to passwords.

For example, imagine the following login directions underlying database access.

UserName=LastName

Password=Pword

SELECT userid

FROM users  

WHERE UserName=’ ‘ AND Password=PWord

The user table that this code draws from, therefore, lists all last names and matches them with the individuals’ passwords. Thus, all a person has to do is type in their “LastName” in the login box and their “Password” in the password box to obtain access. Then, the database recognizes the information by providing access and authenticating the user.

A 1=1 SQL injection changes "Password" definition within the database table. They place a malicious SQL code into the database and rewrite the database command:

UserName=LastName

Password=Pword

SELECT userid

FROM users

WHERE UserName=’UserName’ AND Password= Password OR 1=1’.”

This code change does two things. First, “UserName” is no longer defined specifically as “LastName” while “Password” is no longer specifically defined as “PWord.” Both “LastName” and “Pword” are specific to individual users.

Second, by adding the “OR 1=1,” any information provided in the form will lead to database access because 1=1 means that anything is always true and always succeeds.

Like a SQL code, Arya Stark starts Game of Thrones as a normal girl. However, she becomes a SQL injection as she changes her identity, ultimately becoming a dangerous threat as she learns how to sword fight and kill.

Union-Based SQL Injection: The Faceless Men Assassin

A union-based SQL injection goes beyond a simple login infiltration. While 1=1 requires specifications and descriptions, union-based allows an attacker to infiltrate the system tables rather than the user tables. System tables define how users and information are linked together within a system. For example, marketing users will access all customer information while human resources can access all payroll information.

However, each company has its own way of linking people to systems and defining the system tables. The union-based SQL injection accounts for this because it brings together, or creates a “union,” code that makes it easier to guess these definitions.

At its core, the union-based SQL injection allows cybercriminals to input code that offers invalid information. When the system returns an error, it provides a message about what information led to the error. For example, after inputting an incorrect table name guess, the error message will indicate whether the table was non-existent or whether the table exists but the information in the table differs from the request.

If the table name exists, but the types of data known as columns, are incorrect, the attacker can then try to guess at the number of columns. They use the “Order” command to tell them how many columns there are. Once they determine the number of columns, they use the error feedback to narrow down the column names until no error message comes back and the data list is available.

Arya, similarly, joins the Faceless Men at Braavos. To pass the game of faces and become an assassin, Arya must lie convincingly. She creates false stories but fails several times, just like the union-based SQL injection lies to system tables and fails at first. Only when she can convincingly lie and disguise herself, can she carry out her desired assassinations. In other words, just like a union-based SQL injection, Arya needs to learn from the failures in order to carry out her nefarious plans.

So there you have it. Arya Stark as the perfect example of a Game of Thrones SQL injection.

Check out next Friday to see which house remains, and which threat is next.  

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!