If you’re a fan of contemporary thriller movies or television, you’ll no doubt have watched a scene where some enterprising (usually young, and quirky) “hacker” sits in front of a keyboard, flexes their fingers, and spouts knowledgeably about the various methods he/she will use to break into the Pentagon/bank security system, or whatever.
The words, “SQL injection” may likely come up in there somewhere – and you might be tempted to think that this is just jargon the screenwriter put in, to make it sound authentic.
But if you’re a database or website administrator, you’ll know that they’re real – and that a SQL injection can have seriously undesirable effects. In this article, we’ll be exploring the various ways in which you can reduce that risk.
SQL, or Structured Query Language, is a programming language used in database management and configuration. Despite the fact that many modern developers describe the acronym as “Scarcely Qualifies as a Language”, SQL remains the tool of choice for information analysts working with relational databases (which are defined at the basic level by a series of table entities containing columns and rows). On the commercial scene, you may recognize the platform from major products like Microsoft SQL Server, Oracle Database, and MySQL, which was developed by Sun and is now owned by Oracle.
Since its development around 40 years ago, SQL has been widely adopted in the IT industry and transformed into a range of programming dialects for a variety of platforms. SQL has a core syntax and features characterized by easy-to-remember “common sense rules” or heuristics (like SELECT, INSERT, UPDATE, DELETE).
For many users, SQL is employed as the command-and-control language for relational databases propping up the back end of web applications and content management systems – which means that the behavior and content of many websites and online resources depends on data housed in servers that are governed by SQL.
What is a SQL Injection?
It’s the logical and conceptual simplicity of SQL which makes the language straightforward (if not necessarily easy) to use. And it’s this very logic that can prove to be its greatest flaw.
The “garbage in, garbage out” principle of computing also applies to SQL. If an unanticipated character string is entered into a database search or login text field for example, rather than simply throw up an error message, a SQL database might also react in unanticipated ways. And even the error message it throws up might reveal sensitive clues as to what’s in the underlying database structure.
A SQL injection attack (sometimes referred to as an SQLi) occurs when someone deliberately sends malicious SQL commands to database servers, using unauthorized channels. The most common channel used is unsanitized input data. At a very simple level, this could occur if a hacker inputs something like MyFirstName’ into a login field – and the database system isn’t configured to automatically remove “obvious” syntax errors like that apostrophe at the end of MyFirstName.
If the hacker’s data enters the system unedited, this could indicate a low level of security checking within the database, and give the attacker the courage to try inserting something more adventurous next time – like a snippet of malicious code. And if there’s an error message returned by MyFirstName’ this may indicate to the hacker that the back-end code of the database includes user input in the syntax of a SQL query – which points to lax practices and insecure coding.
But while unsanitized input data is the most common route for a SQL injection, any input channel may be used to send malicious commands or web requests. These would include query strings, input elements, cookies, or files.
This rich choice of attack vectors helps explain why SQL injections remain such a popular choice for hackers today. SQL injections are the most common and successful form of web attack.
The Damage That a SQL Injection Can Cause
SQL injections exploit weaknesses in a website or network’s input channels to target the back-end databases of web applications and platforms – where the most valuable or sensitive information is stored. A successful assault can bestow a wide range of powers on the attacker – including the ability to deface or modify website content, sabotage application functions, capture credentials and other sensitive data, or harvest high-value business information and intellectual property.
In a worst case scenario, certain SQL injections may gain the attacker administrative rights over the web application or site – enabling them to dictate and monitor processes, modify user bases, and introduce their own malicious programs at will.
Attacks against LinkedIn, Yahoo!, Microsoft, Sony Pictures, PBS, TalkTalk, VTech, The Wall Street Journal, and the U.S. Central Intelligence Agency (CIA) have all been attributed to SQL injections.
SQL Resources for Hackers
While SQL follows logical rules and has a simple core syntax, mastering the language itself takes skill. But as with all IT commodities these days, there’s online help available for the enterprising hacker.
Scanning tools like sqlmap may be used to crawl web pages, looking for potential SQL injection vulnerabilities. And there’s an app called Havij (developed by Iranian security professionals) which uses a simple “point and click” functionality to probe targeted websites for fields, tables, or even full data dumps that may indicate vulnerability. The app can then build queries to probe characteristics of the database in depth, providing the ammunition a hacker requires to construct their SQL injections.
Methods to Prevent These Attacks
All user input to a website or online resource should be filtered and sanitized – preferably on a context basis. So, for example, no database field asking for an email address should accept characters that aren’t standard for one, and the same policy should apply to any other input such as names, phone numbers, etc. For database queries, using SQL variable binding with prepared statements or stored procedures is preferable to constructing SQL queries with user input.
To set up and enforce strict rules for filtering out potentially dangerous web requests, a web application firewall should be installed, configured, and regularly updated.
User accounts on databases should be segmented so as to limit the privileges or access granted to only those powers a user strictly needs. This will require the setting up of multiple user accounts and the assigning of a range of different levels of privilege – but in the event of a breach, this approach will contain and limit the damage to a select portion of the database.
Database capabilities that can elevate user privileges or spawn command shells should be eliminated, and SQL statements stemming from database-connected applications should be continuously monitored for signs that may indicate rogue SQL statements or vulnerabilities.
Since error messages may provide a bonus trove of information on the underlying structure of a database, these dialogs should be kept local. Any external error messages broadcast by the system should be worded only in general terms.
SQL injection vulnerabilities are regularly identified in commercial software, so it’s essential to keep up to date with the latest software versions and security patches.
From a practical perspective, any sensitive data on your website or database that isn’t required should be removed. Sensitive information which must be stored there (like passwords, financial data, health information, or the answers to security questions) should be encrypted using strong algorithms like SHA-2.
Some Resources to Help You
The same sqlmap tool which helps hackers can also be turned to the legitimate user’s advantage, in sniffing out potential vulnerabilities on their own system.
For developers, programming platforms like ASP.NET include built-in features that automatically evaluate user input for malicious content on page postbacks.
And the Open Web Application Security Project (OWASP) publishes a SQL Injection Prevention Cheat Sheet for coders, database and website administrators with suggested techniques, best practices, and sample code.
Share this Post