SQL Injection

Understanding and Defending Against SQL Injection Attacks

Poor web site and web application code can allow hackers unauthorized access to your database and network.

SQL Injection Overview

SQL injection is currently the most common form of web site attack in that web forms are very common, often they are not coded properly and the hacking tools used to find weaknesses and take advantage of them are commonly available online. This kind of exploit is easy enough to accomplish that even inexperienced hackers can accomplish mischief. However, in the hands of the very skilled hacker, a web code weakness can reveal root level access of web servers and from there attacks on other networked servers can be accomplished.

Structured Query Language (SQL) is the nearly universal language of databases that allows the storage, manipulation, and retrieval of data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access and Filemaker Pro and these databases are equally subject to SQL injection attack.

Web based forms must allow some access to your database to allow entry of data and a response, so this kind of attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box, might provide access to your data by means of SQL injection if coded incorrectly.

More about Web Site Security Audit

For Network Vulnerability Assessment and Management, see AVDS.
For Software Security Testing, see beSTORM.

How SQL Injection Works

Prospects, customers, employees and business partners may all have the right to store or retrieve information from your database. Your site probably allows any site visitor to submit and retrieve data. Legitimate access for visitors includes site search, sign up forms, contact forms, logon forms and all of these provide windows into your database. These various points of access are quite possibly incorporated in 'off-the-shelf' applications or may be custom applications set up just for your site. These forms and their supporting code have likely come from many sources, were acquired at different times and possibly installed by different people.

SQL injection is the use of these publicly available fields to gain entry to your database. This is done by entering SQL commands into your form fields instead of the expected data. Improperly coded forms will allow a hacker to use them as an entry point to your database at which point the data in the database may become visible and access to other databases on the same server or other servers in the network may be possible.

Web site features such as contact forms, logon pages, support requests, search functions, feedback fields, shopping carts and even the functions that deliver dynamic web page content, are all susceptible to SQL injection attack because the very fields presented for visitor use MUST allow at least some SQL commands to pass through directly to the database.

SQL Injection Risk

Since databases control many web site functions, nearly all web sites invite input from visitors and so many web forms are vulnerable, SQL injection has become and for years remained the most common form of web site hacking tool used. Additionally, so many criminals are now using SQL injection that new server, application and code weaknesses are being discovered almost daily.

Our own records indicate that most (over half) of the web sites we have been asked to scan had SQL injection risks of either High or Medium levels. A high level of risk is one that is effectively an unlocked, unguarded door. A medium risk is one that when combined with one or more other factors could mean trouble. An even larger number of sites had Low risk issues. What you need to know: The percentage of sites that have at least one major risk is actually increasing.

Even though SQL injection has been a known issue for years, there are several factors causing the rate of risk to increase. First is that more companies are offering more web site interaction with visitors and this trend is increasing dramatically. Second is that as more hackers gain skills in SQL injection, they are discovering more applications and services that are susceptible to attack and are developing new attacks on old applications. The result is a nearly exponential increase in the opportunities to use this attack method.

Your risk of being successfully attacked using SQL injection is based on two factors: the nature and size of your business and the age, status of updates and patches on your applications and the skill and number of your technical staff. It boils down to whether you are an interesting target and whether your web server, the applications on it and your web site code are well designed, well integrated and have all the current patches and updates.

Your site is in immediate danger if your company stores data of high value, if your company or entity is operating in a highly contested field of business, or if your site has political or social importance or value. Naturally if you have something of monetary value then you are a target. But you are also a target if your site is an opinion leader in a contentious environment. We have been asked by bloggers for help because the subject matter covered there had drawn SQL injection attacks.

SQL injection attacks are now being solicited online. An upset customer, competitor, or even ex spouse can now easily hire a 'script kiddie' - or worse, a talented hacker - to attack a site. The chance of the hacker getting caught is low. The chance that the upset party can cause damage to your site without being fingered as the responsible party is high.

Technically you are at risk of SQL injection if you have any equipment or applications which have not been routinely updated and patched, or if you have code on your site that was not correctly written. The age of equipment, the applications and the code is a rough indicator of risk. Another is the number of servers involved, number of applications and number of web site access points. If you are using hosted servers or if you are using outsourced technical resources, then a third party review of your site security is important. And even in-house staff can be so pressed for time and short on resources that updates and patches can get delayed or old legacy code get used without proper review.

SQL Injection Example

Every time a web site visitor enters data into a form on your site a SQL query is generated and delivered to your database. In the case of a simple logon form the user name and password is presented to the database and if valid, the database respnds with an answer and user is allowed access (or not). So, no matter how simple the form or web process, database access is required and a response is expected.

Using SQL injection, a hacker will try to enter a specifically crafted SQL commands into a form field instead of the expected information. The intent is to secure a response from the database that will help the hacker understand the database construction, such as table names. The next step would be to access and view data in important tables or to add data to tables, such as adding new accounts or user names and passwords. The third step, roughly, would be to use access to the database to discover and change security settings on a server that would allow a hacker administrative access.

Any dynamic script language including ASP, ASP.NET, PHP, JSP, and CGI is vulnerable to attack. The only equipment needed is a web browser. There are tools widely available online that will semi-automate the process of searching for weaknesses, and there are many forums in which hackers share exploits and help each other overcome obstacles.

SQL Injection Outcomes

As you can imagine, a hacker gaining administrative access to your server means that you will have effectively lost all of the data on that server to the invader. Worse yet there is now a beachhead behind your firewall from which attacks on other servers and services can now be made. In this way SQL injection can provide access to all company or personal data.

From a hacker's point of view a component part of the hack that is almost as important as the break-in is maintaining secrecy. Setting off an 'alarm' of some sort is the last thing they want to do. Their infiltration work takes time and often the value of stolen data drops if the theft is discovered (information of value in identity theft or credit card theft for example). Thus SQL injection hacks are often discovered months and in some cases years after their initiation.

Alternatively, if outright damage is the intent then there is no shortage of bad things that can be done to a database once one has gained access to running commands. An entire table can be permanently deleted using a single SQL command. However a more sophisticated SQL injection attack could involve massive corruption of large databases and even destruction of backup copies.

Defense Against SQL Injection

Because web sites require constant access to the database, firewalls provide little or no defense against SQL injection attacks. Your website is public and firewalls must be set to allow every site visitor access to your database, usually over port 80/443.

Antivirus programs are equally ineffective at blocking SQL injection attacks. They are intended to spot and stop an entirely different kind of incoming data.

The most commonly used SQL injection defense is made up of two components. First there is routine updating and patching of all servers, services and applications which of course has many advantages and is common practice. Then there is producing and using well written and well tested website code that disallows unexpected SQL commands.

These two defenses are by definition enough to halt any SQL injection attack. So, why are web site vulnerabilities and risks on the rise and why are successful attacks occurring more often? The answers are each simple, and combine into a daunting list:

  • The number of servers, applications and volume of code on web sites is increasing
  • These servers, applications and code languages interact with each other in sometimes unpredictable ways
  • The number and frequency of updates and patches is increasing
  • IT departments are doing more work with fewer staff and some activities such as updates get postponed
  • IT staff turnover and layoffs sometimes leave camouflaged holes in security routines
  • Automatically installing every patch and update that comes along often produces unwanted side effects
  • Legacy code is often re-used when sites are updated, sometimes keeping code written to old standards in use long after it was obsolete
  • The number of people attempting to do hacks and the number of tools available to simplify hacking are both going up almost exponentially

More and more companies with huge risk factors and large web 'footprints' are coming to conclude that patching everything and hiring more staff to watch the work of existing staff is no longer viable.

Web Site Scanning as a SQL Injection Cure

The new solution to SQL injection attacks (and all other web-based attacks) is to focus limited and valuable IT time on the serious risks that are actually present, rather than to use a shotgun approach and apply every possible fix to every server, every application and every page of code whether it was needed or not. This new approach is like having a doctor evaluate a patient and proscribe the ONE medicine that is needed to produce a cure, rather than have the patient go directly to the pharmacy to get every possible medicine and take them all at once.

Thus greater security is accomplished through having experienced third party professionals, such as BeyondSecurity, examine (scan) a web site using a list of thousands of known attacks and then report on the relatively few (usually less than a dozen) serious issues.

Web site scanning works on the basis of spotting and reporting KNOWN risks. Common hacking is very 'public' activity. The tools are widely promoted. Techniques are broadly disseminated in public forums. Even new methods become public within hours or days of their first use, thanks to groups like SecuriTeam.com and others who watch for and then broadly warn others.

The automated scanning service, WSSA, is a web-based service that uses a compilation of all known risks into families and all families into a single database that has taken many years to compile and many hours a day to maintain. Using this database WSSA can evaluate any web site and produce a report of REAL and PRESENT risks rated according to their relative importance - often within hours and without disturbing ongoing site activities.

Now, you can take your valuable IT man hours and directly address real risks such as SQL injection rather than spend hundreds of hours installing patches and updates, most of which you don't need or that handle risks that are so small as to be negligible.

Pricing and Features

Print Friendly and PDF