Another application threat related to SQL injection is Denial of Service (DoS), which, in its most extreme form, can bring the Web application to a halt by shutting down its backend database. It takes place when an attacker appends the SHUTDOWN command to a SQL statement, or when the attacker creates complex queries over self-joins of large database tables with the intention of sending the database into time consuming loops over lots of data. This ends up consuming precious CPU time within the database servers. These attack techniques are generally well known – they require true SQL injection and usually such complex queries require the existence of very large tables within the target database.
What is relatively new is the use of search fields that perform “LIKE” comparisons of the search terms to induce DoS without users actually inputting an additional command or clause. So even if the application code is written correctly, but the application fetches results based on just an approximated search of the backend database, the application might be vulnerable. This phenomenon is due to the way commercial databases implement the LIKE operator. In particular this operator gives special “wild card” meaning to some characters (e.g., “%”, “[]”, “[^]”, etc.) up to the point of providing full regular expression capabilities.
One of the most obvious implications of using specially crafted approximated search expressions is avoiding the use of database indexes. This, by itself, consumes more processing resources in the database server since an entire table needs to be scanned sequentially rather than a small index being partially traversed. In addition, the database engine applies complex regular expressions to every row in the table. Due to very long processing times, the application slows down because the application server’s resources are being fully consumed. Some studies have shown that by using even a relatively short search term of a few characters over a relatively small table with just a couple thousand records, the search can easily consume all of the CPU’s power for thirty seconds or more. This is clearly a relatively simple, yet powerful method that can be used to induce DoS in an application even if the application is not directly susceptible to SQL injection.