Did you know that SQL Injection was first discovered 17 years ago? Yet, it still tops the OWASP’s list of vulnerability.

According to a Barclays report, 97 percent of data breaches worldwide are due to an SQL injection and still most companies do not have a feasible solution to it.

What is this vulnerability? How it affects your applications? What can you do about it? Here’s a guide to help you understand this OWASP vulnerability and its business implications. How to stop SQL Injection?

What does SQL Injection stand for?

Most web applications interact with database using a machine-understandable language called Structured Query Language (SQL). Attackers use the input fields in web applications to run arbitrary queries (injection) on the server; hence, the attack process is called SQL Injection or SQLi.

About SQL Injection
  1. Hackers use your input fields to inject malicious codes.
  1. The server executes the code received from the browser.
  1. Once a hacker gains control, he can steal, edit, delete sensitive data or exploit other admin rights.

 

Common SQL injection attacks lead to loss of data, or denial of access. However, over the years, hackers coupled mix these attacks with insufficient authentication, DNS hijacking, XSS, and DDoS to cause heavy financial damages and absolute host takeover. Following are some of the most infamous SQL attacks from recent years.

March 2010: Albert Gonzalez was sentenced for 20 years. He installed his code into credit card server of Heartland Payment Systems and stole 130 million credit card numbers. Attack cost was around $12 million for the company.

 

June 2012: An unconfirmed SQL attack led Russian hackers to 6.5 million user credentials from LinkedIn.com.

 

July 2012: 453, 000 email addresses and passwords were leaked for Yahoo Voices users.

 

October 2014: Drupal declared its high vulnerability against the attack.

 

February 2015: One Million WordPress Websites Vulnerable to SQL Injection Attack

Mass Automated SQL Injection Bots on Businesses

How do attackers even know about your vulnerability?

Step 1:

Attacker uses automated mechanism including bots and software to scan thousands of websites looking for SQL injection. Some of the most commonly tested fields are URLs and forms. It is difficult to stop SQL Injection here.

Step 2:

The reported vulnerabilities are manually tested by the attacker. He analyzes the severity of vulnerability and penetrates into the database.

Step 3:

A fake input command is crafted keeping vulnerabilities in mind, which is then tested in real-time. If it grants access to the database, the attacker can trick application into giving away all records.

Step 4:

More lethal attackers look for other vulnerabilities and exploit them all at once for illicit financial gains and host control.

Example:

A login form is one of the most common ways to verify the user.

About SQL Injection

The corresponding serve code for the verification function is:

About SQL Injection

Now, a hacker simply needs to place ” or “”=” into either of the input boxes to validate SQL. It will provide him all the rows from table Users.

About SQL Injection

How to stop SQL Injection attacks

Preventing or mitigating SQL injection attacks is a lot about ensuring that none of fields are vulnerable to invalid inputs and application execution. Clearly, it is manually impossible to actually to check every page and every application on the website, especially when updates are frequent and user friendliness is the top priority.

Nonetheless, security analysts and seasoned developers suggest some of the following points to ensure your databases are well protected within the confinement of the server.

1) Continuous Scanning and Penetration Testing

Automated web application scanners have been the best choice to point out vulnerabilities within the web applications for quite some time now. Now, with SQL injections getting smarter in exploiting logical flaws, website security professionals should explore manual testing with the help of security vendor.

They can authenticate user inputs against a set of rules for syntax, type, and length. It helps to audit application vulnerabilities discreetly so that you can patch the code before hackers exploit it to their advantage.

2) Restrict Privileges

It is more of a database management function, but enforcing specific privileges to specific accounts helps prevent blind SQL injection attacks. Begin with no privileges account and move on to ‘read only’, ‘edit’, ‘delete’ and similar privilege levels.

Minimizing privileges to application will ensure that the attacker, who gets into the database though application, cannot make unauthorized use of specific data.

3) Use Query Parameters

Dynamic queries create a lot of troubles for security professionals. They have to deal with variable vulnerabilities in each application, which only gets graver with update and changes. It is recommended that you prepare parameterized queries.

These queries are simple, easy to write, and only pass when each parameter in SQL code is clearly defined. This way, your database is equipped with weapons to distinguish between code and data inputs.

4) Instant Protection

A majority of organizations fail the problems like outdated code, scarcity of resources to test and make changes, no knowledge of application security, and frequent updates in the application. For these, web application protection is the best solution.

managed web application firewall can be deployed for immediate mitigation of such attacks. It contains custom policies to block any suspicious input and deny database breach instantly. This way, you do not have to manually look for loopholes and mend problems afterwards.

Need help protecting your business from SQL Injection attacks?

Choose Plan

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.