Blogger Widgets

Tuesday, 10 September 2013

SQL Injection Attack #WebSecurity #Infosec #Hacking #SQL



What are SQL Injection attacks?
 

SQL(Structured Query Language) injection attacks is a type of attack against websites where special constructed  web request are used to control the site database. Web-servers and application  servers interact with database servers anytime they need to store data or retrieve  data, or change some data, or delete data; and most database have a variant of a  language called SQL that is used to do this. So if an attacker is creating a SQL Injection attack they will actually build malicious SQL statements that are designed  to be executed along with the SQL statements that the site will be performing  normally, and this malicious statement will be included with otherwise be normal  request to the website
 

Why are they so prevalent?
SQL Injections attacks are increasingly prevalent as there's been a change in focus  where attacks are no longer focusing only on web-servers,operating system or  web-server software but also targeting the application layer and the custom code  that runs the site. Of this application level attack, SQL injection is particular  interesting because it's potentially very powerful if it's successful

What damage can be caused by a successful SQL injection attack?
A successful SQL injection attack could have a number of different outcomes:
A SQL Injection attack could be used to bypass the site authentication or  authorization; so this will let the attacker view the records on the database which  could be anything associated with that site, it could be customer data, credit card  numbers, account credentials and be through the entire data-set could be taken.

SQL Injection attack could also be used to modify the application database;so this  will be adding records, altering records or deleting records, adding a new account to  the database, adding a transaction, removing a transaction and it could be not just to  one part of the site, it could naturally be the site's entire database meaning that the  entire database of that site could be destroyed. Even worse if the database with the  database server is hosting content from multiple websites, the entire database with the data across all websites could potentially be infected either access, modify or  delete completely. 
In others circumstances SQL Injection attack could even potentially lead to a full  compromise of the database server allowing operating system level access and total  control of the server.





How do I know if my application are vulnerable to SQL Injection attacks?

Any of your applications that accept user input and store data in a back-end  database are vulnerable to SQL injection attack.Across the web this is a very large  class of applications if you think of banking sites,retail sites they all have those  common characteristics of interacting with users, letting users provide information,  but they also have databases in the back-end where they're working with that data  as well.
To detect SQL Injection attacks you can test for it in a number of different  ways:
You can use penetration testing or you can use static or binary analysis to detect.  It's important also to have security as a part of your development life cycle so that  new applications that are being build today already have the protection build in to  prevent SQL injection from the start
 



How do you prevent SQL Injection Attacks?
So you can prevent SQL Injection attacks through a number of best practices:

  1. First of all you can use prioritized or prepared statements those limit the amount  of influence that an attacker could possibly have against the queries run against the  database
  2.  Use input validation for the length,the type,the syntax or rather than the business  rules of the input coming form the user and it's important there to whenever  possible use known good validation versus known bad. It's alot easier to know that  US zip code has a specific format comprised of digits and possibly a dash versus  trying to eliminate all possible bad inputs such as trying to detect SQL statements  mixed in with an address or something.
  3. The third, use the lowest possible privilege for the database account. This doesn't  prevent SQL Injection attack but this will limit the possible damage as a result a  successful SQL injection attack. If an attack is successful the only damage that will be possible is whatever damage could be done with that account; for example if this  database hosts data for multiple websites and each website has it's specific user that  can only  access the data from that website, you don't have to worry about that  cross contamination where the attack against one site could affect data of the second  site.

No comments:

Post a Comment