Structured Query Language Injection (SQLi) is one of the oldest hacks in the books. It takes no effort to find YouTube videos or websites detailing how easy it is to perform this hack. Why is SQLi so successful? With everything that is known about this hack, why are businesses becoming victims and seem unable to fight it?
What is a SQLi
The Open Web Application Security Project (OWASP) has identified SQLi as one of the top 10 web application security risks. Although new data is being gathered for the 2016 report, the feeling is that SQLi will still remain close to the top.
SQLi is when an attacker runs malicious queries against the database server hoping to bypass the authorization and authentication system. These malicious queries are text-based. If interpreted the attacker could obtain the entire database or delete or modify records compromising the data integrity. The database could consist of sensitive information like credit card or social insurance numbers. A successful attack could take months or years to detect.
Attackers can use login pages, support requests or contract forms as opportunities to launch a SQLi attack. These examples are all susceptible to an attack because these use some SQL commands.
In many instances, SQLi has been used as the initial penetration in an attack on businesses like the 117 million passwords leaked from LinkedIn, the 40 million customer records from Target stores and the 130 million customer credit card records from Heartland Payment Systems.
Why Has It Been So Successful?
SQLi has been popular because it is easy to use and it works. You can’t put it into simpler terms than that. Attacks have been successful due to:
Not using least privilege access–Some companies are set up so that when a user logs in, they have full access or admin rights. If an attacker gains full access rights, they are able to dive deeper into the network.
Easy Attack Vector–SQL Injection is one of the easiest attack vectors requiring nothing more than entering a text-based query into the interpreter.
Portal Architecture–This is where more issues reside. If the portal is not properly planned from an architectural and design standpoint, it is left vulnerable to security threats.
Trusting User Input–Not validating user input is one of the main reasons SQLi is so prevalent.
Legacy Code–Frequently sites re-use their legacy code without reviewing it due to time and cost constraints.
Tough to Find All the Targets an Attacker Can Exploit–Your security risks increase with the number of servers, applications and volume of code.
Interactions of the servers, applications and volume of code–This can create unexpected behavior leaving your business open to an attack.
Budget–Budgetary constraints can hinder upgrading to the latest hardware and software. The budget also impacts the number of employees developing and maintaining the portals and network infrastructure. Frequently, employees are expected to do more and are just spread too thin.
Strategies to Fight SQL Injections
Businesses need to continually review and monitor their systems. A comprehensive strategy will include the following:
- Use a distributed security approach, encrypt the data and store the key somewhere else
- Deploy a perimeter security
- Use a parameterized API instead of an interpreter
- Use coding best practices. Invest the time and resources to ensure that the code used in your portal can’t be exploited.
- Enforce least privilege access
- Enforce the use of strong passwords
- Sanitize the input by using SQL libraries to scrub the data
- Keep all servers, services and applications patched and up-to-date
- Use penetration testing technologies to help detect security risks
Parting Words
There is no one mechanism that will secure a business from SQLi but a consolidation of the above mentioned strategies. By enlisting these strategies, they will help reduce your risk of an attack.
Leave a Comment