A 5-Minute Guide to SQL Injection (And How to Protect Yourself)

{authorName}

Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, December 10, 2019

Are you protected against SQL injection attacks? Here's what you need to know about this threat.

Article 7 Minutes
  • Home
  • IT
  • Security
  • A 5-Minute Guide to SQL Injection (And How to Protect Yourself)

IT teams today have to defend their firms against a wide range of threats. The battle between hackers and security pros is often described as an arms race, with each side constantly looking to develop new solutions to outwit the other.

However, in this environment, it's easy to overlook some of the older vulnerabilities that may have been in place for many years. Indeed, one of the most common methods of gaining access to a system to steal data or cause trouble would be instantly recognizable to a hacker from the late '90s - an SQL injection.

But what exactly do these attacks look like, and how can you best go about protecting yourself from them? Read on to learn everything you'll need to know about this threat.

What is an SQL injection?

An SQL injection, or SQLi attack, is a web-based code injection attack that sees hackers using malicious code to bypass security systems and gain access to SQL databases. If website forms aren't configured properly, this can allow attackers to conduct a wide range of activity, from extracting information to amending or adding new data or even, in some cases, accessing a server's operating system.

SQL attacks have been targeting web applications for more than 20 years, with the first known incidents occurring around 1998, but it's still used today as a tried and tested method because many businesses continue to be vulnerable, as they don't take steps to protect themselves.

Indeed, a 2017 report from Akamai found more than half of web attacks (51%) used SQL injections, which illustrates how they still haven't gone out of fashion. In some ways this is unsurprising - SQL remains a standard programming language used all over the world, used by more than half of developers. It's ubiquitous, easy to use, and makes life much easier for developers.

How do these attacks work?

As a code injection attack, SQLi works by allowing hackers to enter instructions to the database from a publicly-accessible web form in the form of a valid SQL query. These queries are the building blocks of the language and tell the system what information to look up and retrieve.

For instance, on an ecommerce site, a user's input may be converted into an SQL query that tells the database to return details on a specific item. An SQLi takes advantage of this by changing the instructions sent to the database. For example, on an ecommerce site, a typical user input into a web application when looking for a product may look something like this:

'http://www.ecommercestore.com/items/items.asp?itemid=100'. This is then turned into an SQL query that returns the name and description of the item associated with ID number 100.

But if a user changes this input to read 'http://www.ecommercestore.com/items/items.asp?itemid=100 or 1=1', an unprotected database won’t only return the details of the item with ID 100, but for every entry where 1=1. Since 1=1 will be true for every entry, it will bring up details on every item in the database.

The same principle applies to any field and any input that can be recognized as a valid SQL query. So using the same technique, the user entry 'http://www.ecommercestore.com/items/items.asp?itemid=100; DROP TABLE Users' would instruct the database to delete the entire list of users.

What are hackers looking for?

It's easy to see how simple SQL queries can have a devastating effect on unsecured databases. Depending on the type of SQLi query used, hackers can use it for a wide variety of purposes, from stealing passwords or vandalizing a website to deleting entire databases.

Often, this can be used to directly extract fields from a server, including names, addresses, contact details and more. If it's stored on an SQL database in plaintext, it's potentially vulnerable to injection attacks, including sensitive details such as credit card numbers.

However, an SQLi may also be used as the initial stage of a wider cyber attack. For instance, one of the most common tactics will be to use SQLi to gain access to a list of passwords. Once hackers have these, they can try out the credentials across other systems by impersonating other users - even admin accounts - to burrow deeper into your network.

It could also allow hackers to change, delete or add new information to a database, something that may be particularly worrisome to finance or ecommerce firms. For example, in a financial application, an attacker could use this tactic to alter balances, void transactions, or transfer money to their account.

Meanwhile, deleting data can be highly disruptive to a business, which is often the goal of 'hacktivists' who are motivated by ideological reasons rather than financial ones. Even if you have backups, deleting tables en-masse could shut down applications or websites for hours until the database is restored.

What it can mean for your business

SQL attacks are relatively simple to initiate, but they can cause serious damage to a business. If key servers and databases aren't effectively protected, hackers can gain access to highly confidential material and cause major reputational and financial damage.

Back in 2008, for example, Heartland Payment Systems lost the details of 138 million credit cards through an SQLi. At the time, this was said to be the largest data breach in history, and the company eventually ended up paying out $145 million in compensation for fraudulent payments.

The Heartland case happened over a decade ago, yet the lessons clearly haven't been learned by many businesses, as the tactic remains one of the most common ways of accessing data. This was shown in 2015 when British telecoms provider TalkTalk was fined what was at the time a record £400,000 ($486,000) after an SQLi stole the data of 156,959 customers, and the regulator was less than impressed with the failing.

"SQL injection has been well known in security circles for almost 20 years. SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data." - Information Commissioner's Office, 2016

 

However, what has changed in the last few years is the public awareness and regulatory response to data breaches. People today are much more aware of how valuable their personal data is to hackers, while rules such as GDPR make the financial penalties for incidents much heavier. For example, it's estimated that TalkTalk's fine could have been up to 79 times higher under current rules, possibly costing the firm as much as £59 million ($79 million).

How to protect yourself from SQL attacks

Fortunately, there are many steps you can take to mitigate the risk of SQLi attacks. The first step needs to be toughening up how user-inputted data is validated. This means setting up a system that identifies malicious code and prevents it from being passed on to the database.

To achieve this, the best practice is to trust nothing - assume every input your application receives is dangerous unless it can be proven otherwise. In other words, instead of blacklisting known malicious characters, whitelist only inputs that meet clear parameters. For instance, if the expected field is a phone number, don't allow any entry that contains anything other than the figures 0 to 9.

However, input validation and sanitization can only do so much. You also should be making sure you aren't using dynamic SQL for your inputs - which means building SQL statements directly based on user input. Instead, use prepared statements, parameterized queries or stored procedures wherever possible.

Of course, ensuring your applications and databases are always patched to the latest version as quickly as possible helps ensure you don't fall victim to known vulnerabilities. However, in addition to this, a web application firewall (WAF) that can filter out malicious data is essential.

A WAF can be particularly useful in providing some security protection against a new vulnerability before a patch is available. Effective solutions should have a comprehensive set of default rules that dictate what inputs are and aren’t permitted, and make it easy to add new ones whenever necessary.

Basic best practices such as encryption or hashing sensitive data and ensuring applications don't reveal any more information that’s strictly necessary (such as not displaying error messages that can give hackers great insight into your database architecture) should also be used to guard against SQLi attacks.

Protecting against SQL attacks is a multi-step process with no simple cure-all solution, but taking the time to set up comprehensive defenses is vital in ensuring you're safe from this common, but dangerous threat.

Access the latest business knowledge in IT

Get Access

Tech Insights for Professionals

The latest thought leadership for IT pros

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.

Comments

Join the conversation...