What are SQL Injection attacks?
SQL(Structured Query Language) injection attacks is a type of attack against websites where special constructed web request are used to control the site database. Web-servers and application servers interact with database servers anytime they need to store data or retrieve data, or change some data, or delete data; and most database have a variant of a language called SQL that is used to do this. So if an attacker is creating a SQL Injection attack they will actually build malicious SQL statements that are designed to be executed along with the SQL statements that the site will be performing normally, and this malicious statement will be included with otherwise be normal request to the website
Why are they so prevalent?
SQL Injections attacks are increasingly prevalent as there's been a change in focus where attacks are no longer focusing only on web-servers,operating system or web-server software but also targeting the application layer and the custom code that runs the site. Of this application level attack, SQL injection is particular interesting because it's potentially very powerful if it's successful
What damage can be caused by a successful SQL injection attack?
A successful SQL injection attack could have a number of different outcomes:
A SQL Injection attack could be used to bypass the site authentication or authorization; so this will let the attacker view the records on the database which could be anything associated with that site, it could be customer data, credit card numbers, account credentials and be through the entire data-set could be taken.
SQL Injection attack could also be used to modify the application database;so this will be adding records, altering records or deleting records, adding a new account to the database, adding a transaction, removing a transaction and it could be not just to one part of the site, it could naturally be the site's entire database meaning that the entire database of that site could be destroyed. Even worse if the database with the database server is hosting content from multiple websites, the entire database with the data across all websites could potentially be infected either access, modify or delete completely.
In others circumstances SQL Injection attack could even potentially lead to a full compromise of the database server allowing operating system level access and total control of the server.
How do I know if my application are vulnerable to SQL Injection attacks?
Any of your applications that accept user input and store data in a back-end database are vulnerable to SQL injection attack.Across the web this is a very large class of applications if you think of banking sites,retail sites they all have those common characteristics of interacting with users, letting users provide information, but they also have databases in the back-end where they're working with that data as well.
To detect SQL Injection attacks you can test for it in a number of different ways:
You can use penetration testing or you can use static or binary analysis to detect. It's important also to have security as a part of your development life cycle so that new applications that are being build today already have the protection build in to prevent SQL injection from the start
How do you prevent SQL Injection Attacks?
So you can prevent SQL Injection attacks through a number of best practices:
- First of all you can use prioritized or prepared statements those limit the amount of influence that an attacker could possibly have against the queries run against the database
- Use input validation for the length,the type,the syntax or rather than the business rules of the input coming form the user and it's important there to whenever possible use known good validation versus known bad. It's alot easier to know that US zip code has a specific format comprised of digits and possibly a dash versus trying to eliminate all possible bad inputs such as trying to detect SQL statements mixed in with an address or something.
- The third, use the lowest possible privilege for the database account. This doesn't prevent SQL Injection attack but this will limit the possible damage as a result a successful SQL injection attack. If an attack is successful the only damage that will be possible is whatever damage could be done with that account; for example if this database hosts data for multiple websites and each website has it's specific user that can only access the data from that website, you don't have to worry about that cross contamination where the attack against one site could affect data of the second site.
No comments:
Post a Comment