Brief Report on SQL Injection!

In the news, we hear about data breach of any company almost every week. These news often reports about major companies are losing millions of banking transactions details, credit card details, usernames and passwords by the cybercriminals.

Imperva (a Product Based Cyber Security Company) released a recent report on Web Application Attacks and said SQL Injection (SQLi) is on its higher level as compared to the last year. The SQLi attacks performed by the attackers these days are three times more dangerous as compare to old ones. An attacker can feed malicious scripts and commands to a database through the poorly designed forms of web applications and other input boxes by exploiting the SQL vulnerabilities. The detail of all web application vulnerabilities is available in OWASP (Open Web Application Security Project). OWASP update these vulnerabilities after every three years to keep pace with the ongoing web application technology and all the other threat vectors.

In OWASP top 10 attacks list SQLi is at number one. During 1998 it was originally discovered and discussed publically. So we can say that it is very ancient attack. Actually SQLi flaws are very easily fixable problems which have been unnoticed and neglected by most of the web application developers. Rising number of SQL injection attacks is a major issue in cyber world. SQLi attack could be done manually and with the help of automated tools as well. Manually SQLi is very time- consuming in which attacker repeatedly intercepts data packets and sends a number of different Structure Query Language (SQL) payloads to exploit the SQLi vulnerabilities. This is the reason why attackers mostly prefer the automated tools to scan the web applications and exploit the SQLi flaws.

Many “script kiddies” are performing SQLi attacks using SQLi tools because there is no need to be a coder to perform a SQLi attack. To perform a SQLi attack on a target website there is requirement of only a small set of commands. In a recent hack of TalkTalk attackers were teenagers. This attack was the result of SQL injection. This SQLi was utilized by DDOS attack. There are many other examples like Vtech hack etc.

BLIND TRUST ON USER INPUT IS A BIG RISK

A number of security bugs and various programming languages were analysed by Veracode (An Application Security Company). In result the researchers of veracode declared that Classic ASP, PHP and Cold Fusion were the most risky languages used by the web application developers. Programming languages .NET and JAVA were safer as compare to these languages. The researchers found at least one SQLi vulnerability in 56% applications which were written in PHP.

There is need to understand that SQLi is a result of improper coding techniques used by developers. These little mistakes may lead the whole database of website to a major risk. Developers need to understand that the input in any webpage of web application is not always from a trusted user. In most of the cases attackers inject the malicious scripts and queries to the input field. Input Validation and Parameterized Queries are the solution to remove malicious scripts from the input data. These methods will also protect the database from the queries which includes special characters. These special characters may change the meaning of any SQL query.

In software development life cycle security is often an afterthought. Therefore SQLi and other attacks will remain same. So developers need to understand the dangers of these attacks and need to fix the vulnerabilities related to it as soon as possible.

STATISTICS OF SQL INJECTION

PREVENTION OF SQLi ATTACK

There are some methods to prevent and mitigate the SQL vulnerabilities:

1. Trust no-one because data inputs could be from attackers also.

2. Avoid using dynamic SQL and prefer parameterized queries.

3. Update and patch the bugs as soon as possible.

4. Use Firewall

5. Always use appropriate privileges.

6. Always use better Software.