SQL Injection Attacks
There are few vulnerabilities that strike fear into the hearts of security professionals more than a SQL injection attack. Why? Because unlike most vulnerabilities that can be readily detected, while a SQL injection attacker can hide within a vulnerable application until someone accesses and exploits it.
What is a SQL Injection Attack?
A SQL injection attack is basically an act by an attacker of turning a vulnerable application (due to programmatic errors) against itself and getting it to divulge either information about the application that can be used to further the attack, or even worse divulge information contained within an attached databases. While some SQL injection attacks are very complex in nature some can be as simple as putting a tick mark at the end of a web URL to get a response from the application that divulges information about the application or the database fields that it serves.
SQL Injection Examples
Example Query Statement Command 1:
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
This example creates a SELECT statement by adding a variable (txtUserId) to a select string. The variable is fetched from user input (getRequestString)
Example Query Statement Command 2:
SELECT * FROM Users WHERE UserId = 105 OR 1=1;
The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.
These are just two examples of what SQL injection attack commands can look like when attackers are looking to access an application or server. There are numerous other command permutations that can be used to illicit certain information from the application or the server databases that sits behind it. It is really up to the attackers to determine what is used.
Are All Applications Subject to SQL Injection Attacks?
In a word, yes. Unless the developers are trained in secure coding, and sometimes even then, there is always a chance that SQL injection errors may be present in an application just waiting to be found and divulge content. If the developers are not trained in secure coding then the likelihood of a SQL injection issue in the application goes up exponentially.
How Can SQL Injection Vulnerabilities Be Addressed?
Of course, I’ve already discussed training developers in secure coding practices. This is just one way in a long list of things that can be done to address the issue. Let’s discuss a few other ways that SQL injection attacks can be discovered or remediated.
A penetration test is where you have an individual, usually an ethical hacker, utilize toolsets such as Burpsuite and others to locate SQL injection issues and extract content from the application that gives them insight into the underlying applications or databases. If a potential SQL injection issue is discovered, then the ethical hacker will then use manual or automated testing mechanisms in an effort to determine if the finding is valid and if so, to what extent it can be exploited and what information can be gained via the exploitation.
Code reviews are just what they sound like. They are the manual or automated review of application code that looks specifically for SQL injections vulnerabilities and other issues in an application. These reviews look for common mistakes that an application developer may make and provide information on what needs to be done to the application code to address the matter so that the application can be secured before being placed into a production setting.
Binary analysis is somewhat similar to a code review, however instead of having to run the raw source code through a tool, binary analysis takes the compiled code and subjects it to a litany of tests looking to see if there are SQL injections and other vulnerabilities such as buffer overflows contained within the compiled code. As well, just like code reviews, the binary analysis provides the end user with examples of what needs to be done to remediate the issue before the application is placed into a state where people outside of the organization can use it.
But How Do I Prevent SQL Injection Attacks?
The three methods I outlined above give you some idea of what needs to be done to locate and remediate SQL injection and other kinds of coding vulnerabilities, however you also need to look at the big picture and see what can be done to address matters before they become a zero-day vulnerability that some hacker discovers and exploits.
Software Development Lifecycle (SDLC)
To ensure that your organization doesn’t fall prey to a SQL injection attack, security testing really needs to be made part of your SDLC. There are so many organizations that produce applications but do not have access to security testing as part of their SDLC. All too often organizations consider it the job of Quality Assurance to conduct security testing, however, many times, they are poorly equipped in both tools and experience to conduct this type of testing. In truth the organization should strongly consider either having security professionals on staff that test applications before they go “live”, or be prepared to hire organizations that employ ethical hackers to conduct testing during each major release of the application.
Are SQL injection issue destined to be in every organization’s future? Not necessarily.
If organizations enact controls and testing that works to identify SQL injection and other vulnerabilities then they stand a far better chance of avoiding having SQL injection issues within their applications, thereby allowing them to better protect their data and that of their customers.
About Digital Defense
- Asset discovery and tracking
- OS and web application risk assessment
- Targeted malware threat assessment
- Machine learning features that leverage threat intelligence
- Agentless & agent-based scanning
- Penetration testing for networks, mobile applications, and web applications
- Compliance management. One of the world’s longest tenured PCI-Approved Scanning Vendors
The Frontline.Cloud platform virtually eliminates false-positives associated with legacy vulnerability management solutions, while also automating the tracking of dynamic and transient assets and prioritizing results based on business criticality.