Understanding SQL Injection

SQL injection is one of the oldest attacks that can be used to comprise a database-driven website or web application. SQL injection is very easy to detect and a variety of automated tools can be used during the injection process, thus making it incredibly easy for SQL attacks to be mounted by an attacker. Whilst SQL injection relies on some sort of database to be present to successfully make an attack, SQL injection is not a result of an issue relating to the database, instead the flaw typically exists in the web application or website.

How does it work?

SQL injection is achieved through the insertion of characters into existing SQL commands with the intention of altering the intended behaviour. As an attacker, one of the first methods of establishing if a website is vulnerable is to try and make the website return an error. As a general rule, if a website returns an SQL error, it may be vulnerable to SQL injection.

What is the impact of SQL injection?

The results of a successful SQL injection attack can have serious consequences. Lets look at this from the perspective of the CIA security model:

Confidentiality

Businesses should be ensuring that all data remains private and that it should only be available to those who are authorised to view the data in question. Information such as full names, addresses, date of birth, National insurance numbers and credit card numbers all have value, and attackers often sell or exchange this personal information online to other criminals.

Integrity

Information is only useful if it is complete and accurate, and remains so. Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. If an attacker is able to alter the data or replace the information with their own, the data can no longer be thought of being correct or accurate. For example, an attacker could change the price in an e-commerce application, reducing the cost of products or services.

Availability

Information that is not available when and where required is of no use to anyone. If an attacker is able to compromise a database and destroy or corrupt all data on the system they could render a business inoperable. Customer payments, records and any other information stored in the database could be lost forever.

Mitigation - Preventing SQL Injection.

There are various methods that can be used to prevent SQL injection. One of the most powerful methods is the use of input validation. This can be performed by whitelisting what is acceptable to an application prior to the information being sent to the database. For example, if an application is expecting an email address, the application should not accept data that does not match the format of a valid email address. The same applies for numbers and letters, the application should not accept symbols, letters or numbers where it does not expect them to

Other techniques include:

Avoiding the use of dynamic SQL. This type of query uses dynamic statements generated from options and choices made on the client side. Such statements should be avoided, this can be down through the use of predefined statements and stored procedures.

Lock down database permissions. By applying the principle of least privilege, you give the database and the applications that attach to it only the access they need and nothing more.

Test applications prior to deployment into full scale production.

Ensure any features not required on the database are turned off, and that all default configurations and passwords are changed.

Disable any error messages outside of the test and development environments.

Apply strong cryptography to the stored information, this way should an attack occur which results in data being stolen, information that is encrypted will make the attackers job of accessing the data much harder.