Frequently Asked Questions

What is SQL Injection?

SQL injection is currently the most common form of website attack in that web forms are very common, often they are not coded properly and the hacking tools used to find weaknesses and take advantage of them are commonly available online. This kind of exploit is easy enough to accomplish that even inexperienced hackers can accomplish mischief. However, in the hands of the very skilled hacker, a web code weakness can reveal root level access of web servers and from there attacks on other networked servers can be accomplished.

What is SQL?

Structured Query Language (SQL) is the nearly universal language of databases that allows the storage, manipulation, and retrieval of data. Databases that use SQL include MS SQL Server, MySQL, Oracle, Access and Filemaker Pro and these databases are equally subject to SQL injection attack.

Web based forms must allow some access to your database to allow entry of data and a response, so this kind of attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box, might provide access to your data by means of SQL injection if coded incorrectly.

How SQL Injection Works

Prospects, customers, employees and business partners may all have the right to store or retrieve information from your database. Your site probably allows any site visitor to submit and retrieve data. Legitimate access for visitors includes site search, sign up forms, contact forms, logon forms and all of these provide windows into your database. These various points of access are quite possibly incorporated in ‘off-the-shelf’ applications or may be custom applications set up just for your site. These forms and their supporting code have likely come from many sources, were acquired at different times and possibly installed by different people.

SQL injection is the use of these publicly available fields to gain entry to your database. This is done by entering SQL commands into your form fields instead of the expected data. Improperly coded forms will allow a hacker to use them as an entry point to your database at which point the data in the database may become visible and access to other databases on the same server or other servers in the network may be possible.

Web site features such as contact forms, logon pages, support requests, search functions, feedback fields, shopping carts and even the functions that deliver dynamic web page content, are all susceptible to SQL injection attack because the very fields presented for visitor use MUST allow at least some SQL commands to pass through directly to the database.

Get a demo and see how you can defend against SQL injection attacks.

SQL Injections Risk

Since databases control many web site functions, nearly all websites invite input from visitors and so many web forms are vulnerable, SQL injection has become and for years remained the most common form of website hacking tool used. Additionally, so many criminals are now using SQL injection that new server, application and code weaknesses are being discovered almost daily.

How Common are SQL Injection Attacks?

Our own records indicate that most (over half) of the web sites we have been asked to scan had SQL injection risks of either High or Medium levels. A high level of risk is one that is effectively an unlocked, unguarded door. A medium risk is one that when combined with one or more other factors could mean trouble. An even larger number of sites had Low risk issues. What you need to know: The percentage of sites that have at least one major risk is actually increasing.

Even though SQL injection has been a known issue for years, there are several factors causing the rate of risk to increase. First is that more companies are offering more website interaction with visitors and this trend is increasing dramatically. Second is that as more hackers gain skills in SQL injection, they are discovering more applications and services that are susceptible to attack and are developing new attacks on old applications. The result is a nearly exponential increase in the opportunities to use this attack method.

Am I at Risk for an SQL Injection Attack?

Your risk of being successfully attacked using SQL injection is based on these factors: the size of your business and the age, status of updates and patches on your applications and the skill and number of your technical staff. It boils down to whether you are an interesting target and whether your web server, the applications on it and your website code are well designed, well integrated and have all the current patches and updates.

Your site is in immediate danger if your company stores data of high value, if your company or entity is operating in a highly contested field of business, or if your site has political or social importance or value. Naturally if you have something of monetary value then you are a target. But you are also a target if your site is an opinion leader in a contentious environment. We have been asked by bloggers for help because the subject matter covered there had drawn SQL injection attacks. Explore common use cases for DAST here.

SQL injection attacks are now being solicited online. An upset customer, competitor, or even ex spouse can now easily hire a ‘script kiddie’ – or worse, a talented hacker – to attack a site. The chance of the hacker getting caught is low. The chance that the upset party can cause damage to your site without being fingered as the responsible party is high.

You are at risk of SQL injection if you have any equipment or applications which have not been routinely updated and patched, or if you have code on your site that was not correctly written. The age of equipment, the applications and the code is a rough indicator of risk. Another is the number of servers involved, number of applications and number of web site access points. If you are using hosted servers or if you are using outsourced technical resources, then a third party review of your site security is important. And even in-house staff can be so pressed for time and short on resources that updates and patches can get delayed or old legacy code get used without proper review.

SQL Injection Example

Every time a web site visitor enters data into a form on your site a SQL query is generated and delivered to your database. In the case of a simple logon form the username and password is presented to the database and if valid, the database responds with an answer and user is allowed access (or not). So, no matter how simple the form or web process, database access is required and a response is expected.

Using SQL injection, a hacker will try to enter a specifically crafted SQL commands into a form field instead of the expected information. The intent is to secure a response from the database that will help the hacker understand the database construction, such as table names. The next step would be to access and view data in important tables or to add data to tables, such as adding new accounts or user names and passwords. The third step, roughly, would be to use access to the database to discover and change security settings on a server that would allow a hacker administrative access.

Any dynamic script language including ASP, ASP.NET, PHP, JSP, and CGI is vulnerable to attack. The only equipment needed is a web browser. There are tools widely available online that will semi-automate the process of searching for weaknesses, and there are many forums in which hackers share exploits and help each other overcome obstacles.

SQL Injection Outcomes

As you can imagine, a hacker gaining administrative access to your server means that you will have effectively lost all of the data on that server to the invader. Worse yet there is now a beachhead behind your firewall from which attacks on other servers and services can now be made. In this way SQL injection can provide access to all company or personal data.

From a hacker’s point of view a component part of the hack that is almost as important as the break-in is maintaining secrecy. Setting off an ‘alarm’ of some sort is the last thing they want to do. Their infiltration work takes time and often the value of stolen data drops if the theft is discovered (information of value in identity theft or credit card theft for example). Thus SQL injection hacks are often discovered months and in some cases years after their initiation.

Alternatively, if outright damage is the intent then there is no shortage of bad things that can be done to a database once one has gained access to running commands. An entire table can be permanently deleted using a single SQL command. However a more sophisticated SQL injection attack could involve massive corruption of large databases and even destruction of backup copies.

Defense Against SQL Injection

Because web sites require constant access to the database, firewalls provide little or no defense against SQL injection attacks. Your website is public and firewalls must be set to allow every site visitor access to your database, usually over port 80/443.

Antivirus programs are equally ineffective at blocking SQL injection attacks. They are intended to spot and stop an entirely different kind of incoming data.

The most commonly used SQL injection defense is made up of two components. First there is routine updating and patching of all servers, services and applications which of course has many advantages and is common practice. Then there is producing and using well written and well tested website code that disallows unexpected SQL commands.

These two defenses are by definition enough to halt any SQL injection attack. So, why are web site vulnerabilities and risks on the rise and why are successful attacks occurring more often? The answers are each simple, and combine into a daunting list:

• The number of servers, applications and volume of code on web sites is increasing
• These servers, applications and code languages interact with each other in sometimes unpredictable ways
• The number and frequency of updates and patches is increasing
• IT departments are doing more work with fewer staff and some activities such as updates get postponed
• IT staff turnover and layoffs sometimes leave camouflaged holes in security routines
• Automatically installing every patch and update that comes along often produces unwanted side effects
• Legacy code is often re-used when sites are updated, sometimes keeping code written to old standards in use long after it was obsolete
• The number of people attempting to do hacks and the number of tools available to simplify hacking are both going up almost exponentially

More and more companies with huge risk factors and large web ‘footprints’ are coming to conclude that patching everything and hiring more staff to watch the work of existing staff is no longer viable.

Web Site SQL Injection Scanner Tool Solution

The new solution to SQL injection attacks (and all other web-based attacks) is to focus limited and valuable IT time on the serious risks that are actually present, rather than to use a shotgun approach and apply every possible fix to every server, every application and every page of code whether it was needed or not. This new approach is like having a doctor evaluate a patient and proscribe the ONE medicine that is needed to produce a cure, rather than have the patient go directly to the pharmacy to get every possible medicine and take them all at once.

Thus greater security is accomplished through using web application testing tools, such as beSECURE, as an SQL injection scanner tool to examine (scan) a web site using a list of thousands of known attacks and then report on the relatively few (usually less than a dozen) serious issues.

Web site scanning works on the basis of spotting and reporting KNOWN risks. Common hacking is very ‘public’ activity. The tools are widely promoted. Techniques are broadly disseminated in public forums. Even new methods become public within hours or days of their first use, thanks to groups who watch for and then broadly warn others.

BeSECURE, the automated vulnerability detection system, is a web-based service that uses a compilation of all known risks into families and all families into a single database that has taken many years to compile and many hours a day to maintain. Using this database beSECURE can evaluate any web site and produce a report of REAL and PRESENT risks rated according to their relative importance – often within hours and without disturbing ongoing site activities.

Now, you can take your valuable IT man hours and directly address real risks such as SQL injection rather than spend hundreds of hours installing patches and updates, most of which you don’t need or that handle risks that are so small as to be negligible.

This article was originally published on Help Net Security on August 1 , 2019.

Microsoft has recently come out and said that mandatory password changing is ancient and obsolete. This goes directly against everything we were trained to think for the last couple of decades, and against most compliance directives including some of the most dominant security standards. And it is correct.

If anything, Microsoft hasn’t gone far enough: password changing is the visible tip of the iceberg – there are many other major inconveniences for our users that make bad security policy and should be done with.

One of the most destructive notions against good and practical IT security is the supposed axiom that security is the opposite of simplicity. This manifests in the popular “Dilbert” comics that depicts the typical office IT environment and has a recurring character called “Mordac the Preventer of Information Services”, which comes to capture the common belief that the IT security team is there to circumvent and ideally block all usable functions.

Like many things in life, the relationship between security and usability isn’t straightforward. In the very extremes that axiom seems to hold: if I can block all access to a machine (for example: bury a computer under 30 feet of concrete) that would probably make it as secure as it can ever be, and completely useless at the same time.

The other extreme is mostly correct too: if I give free and unfiltered access to a certain computer, it will be as insecure as can be: any wannabe hacker will be able to access any information on that machine (not to mention anyone passing by the server will be able to physically pick it up and take it) while anyone who wanted to use it for anything proper will have open and unfiltered access to it. Perfect usability with zero security, achieved.

As tempting as it may be to now draw a straight line between the “full security, no usability” and “no security, full usability” data points, the reality is that this is grossly incorrect in the middle. In most cases reducing inconvenience does not make something more secure and vice versa. No security feature shows it better than passwords.

Passwords were necessary to control access from the time humans started using non-human devices. Door keys are passwords that control who can access a house. Speakeasies used passwords to allow patrons to visit an illegal bar while blocking uninvited people from nosing around.

While with other humans we have a range of options, machines are not as flexible; it’s unlikely that a liquor store owner will card my grandfather, for example, but it’s near certain that the self-checkout machine will ask him for his ID every single time he buys a six-pack of beer. As we interact more and more with machines, passwords become a way we identify ourselves. In classic security theory we call this granting access based on “something I know”. That something is the secret password.

Playing the password game was reasonably ok while we were humans trying to prevent other humans from breaking into our systems; I choose a secret password and not tell you. The only way you can break into my system is try to guess what password I used. Not knowing what I know means you’ll have a very hard time guessing. There are more than 170,000 words in the English language. Good luck trying to guess the words I used as a password (assuming they’re even in the dictionary in the first place).

The problem with passwords surfaced once computers got involved in attacking other computers. Passwords are asymmetrical: humans are not good at remembering while machines have perfect memory. Humans take time to recall and type things while computers do it in milliseconds. So, as soon as those human attackers started getting assistance from computers, the game was skewed against us – like teenagers playing casual neighborhood basketball when suddenly one team asks their NBA player uncle to join their team. A computer that tries 1000 passwords per second will go through the entire oxford dictionary in just 3 minutes. It isn’t fun to play this game against computers.

This is where things took a bad turn. Applying the false maxim that “security is the opposite of usability”, security experts decided that making it harder for users to use systems via passwords will enhance its security. They therefore opted for more complex passwords; if dictionary words produce hundreds of thousands of combinations, adding digits (and then uppercase characters, and then symbols) adds order of magnitude of complexities. Suddenly computers need days, or weeks, or months to go through all combinations. Aha! Thinks Mordac the preventer, I may be making it somewhat difficult for my users, but I’m also blocking would-be attackers. What other choice do I have; after all, security is the opposite of usability!

What an unfortunate turn of events. Not only has this proven to not be true, but it also derailed the security world from finding a good solution to the problem (there are several). Let’s first see why it didn’t work.

The human brain likes simple patterns; the password ‘12345’ is easy to remember. So is the word ‘password’ (both were the world’s single most used password at some time or another). Team preventers decided to force users to use complex passwords, but humans adapt well. If ‘12345’ is not allowed, and ‘abcde’ is not allowed, I can use ‘abc123’ instead. Anyone who ever worked at a large IT company knows of dozens of clever ways to construct an amazingly simple password while bypassing the restrictions set by the password policy makers. In other words, an arms race started between users and their IT security people. The loser: both. The IT security staff was busy implementing advance password policies, the users were busy finding ways to circumvent these policies (not to mention posting secret passwords on post-it notes around the office) and attackers using computers were still able to crack these simple passwords in a variety of ways. In short – low security coupled with low usability.

Next came the single complex password era: as a user, I can come up with a single very complex password and remember it. The problem – I use dozens, maybe hundreds of services online and they all want me to use a security password. And so, this single (but very secure) password is used across hundreds of sites, and everything seems good for a while.

Until attackers compromise one of those online services. It doesn’t seem alarming at first: who cares if a cat meme generator site gets compromised by some hacking group? The problem is, of course, that my password is now exposed – the same complex password I use for my bank account and my main server at work. Computers have the ability to try my password against thousands of online services almost immediately, so before I hear about my password being compromised, dozens of my online services are already hacked. But what could I, as a user, do? I can remember a few simple passwords, or I can remember one complex password. But how can I remember many complex passwords? There is an obvious asymmetry between the attacker (using a computer) and the user (using a human brain). It’s not a fair match.

It took us more than 30 years to realize that passwords are the wrong direction. It could have been an instant conclusion if we just had gotten rid of the ‘security is the opposite of usability” false narrative. What if we come up with something that is easy for users to do but difficult for computers? Eureka.

As soon as we change the definition, solutions pop up everywhere. The Bank of America allows me to choose any 4-digit PIN that I want and then use it to withdraw real cash. They do that in a way that I can remember it and will not need to write it down; why is a simple 4-digit PIN (only 10,000 combinations) secure? Because it requires “something I have” (a debit card) in addition to “something I know” (the PIN code). Gmail and Facebook use the same method when they send you an SMS to confirm that it’s really you who is logging into the account – a mobile phone is “something you have”.

We also know how to block computers while minimizing disturbance for humans. The ‘CAPTCHA’ tests use abilities humans have naturally (like finding all the stop signs in a set of pictures) and computers struggle with. Another behind-the-scene protection is a temporary account lock-out after a few attempts. If you can’t enter your password within 3 tries you probably need a long time-out to quietly figure out what the password is before you can continue. Why allow a computer try millions of combinations an hour where we can limit it to 3 per hour, blocking these brute-force attacks while giving a very minor inconvenience to legitimate users?

We are just starting to move away from passwords, and unfortunately their inconvenience will be with us for a while. But realizing you have a problem is a necessary step towards a solution. The security world is just now realizing that inconveniencing users is not the right way to enhance security.

Our job as security professionals is to find those security solutions that provide maximum security with minimal inconvenience to humans; in a few decades it will be common knowledge that user convenience provides the best security. Let getting rid of passwords be the first step in that seemingly utopian direction.

This article was originally published on U.S. Chamber of Commerce on April 08, 2019.

If you could create your own fantasy Board of Directors, who would be on it? CO— connects you with thought leaders from across the business spectrum and asks them to help solve your biggest business challenges. In this edition, a CO— reader asks how to improve a business’s cybersecurity when expert help isn’t affordable.

Aviram Jenik, founder and CEO of network security company Beyond Security, answers…

The first, and arguably most important thing a small company can do is realize that improving security, no matter how small of an improvement, is a good thing.

It is a logical fallacy to think, “A determined hacker can get in anyway, so why bother with more IT security?” Security is a continuous process; so, instead, a small business should try and say, “How can I be more secure today than I was yesterday?” The goal shouldn’t be perfect security; it should be improved security.

Next, small businesses should realize that the security solutions market is large and quite competitive. There are security solutions at almost infinite quality levels and budgets; and, with some legwork, any small business should be able to find a solution that fits its budget.

You will probably want to start with things you are required to do, due to regulations or requirements by third parties:

• Setting up perimeter defenses.
• Performing regular security assessments or penetration tests.
• Installing reasonable end-point protection.

All of these can be found at variable pricing points to fit almost any budget. Coupled with the first point above, it’s important to realize that if you can’t afford a product or service, your choice should not be to do nothing, but find an intermediate solution to marginally improve your security with the budget you have.

The goal shouldn’t be perfect security; it should be improved security.

Aviram Jenik, founder and CEO of Beyond Security

I’m regularly asked by businesses small and large — if they could only do one thing, what it is they should do. I invariably give the same answer I’ve been giving for over two decades as a security professional: If you aren’t already, you should be doing regular security checkups.

These go by many names: vulnerability scans, penetration tests, security assessments. But they all essentially mean the same thing: getting a clear and concise report about your network and internet-based assets, along with security issues they have and simple recommendations on how to fix them.

Getting an analysis of your security posture is probably what will get you the most bang for your buck and can help you plan the next steps. At a minimum, you’ll know which areas need improvement and which don’t, which can help you plan the next steps in the continuous security process.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.