SQL Injection

SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

Web applications allow legitimate website visitors to submit and retrieve data to/from a database over the Internet using their preferred web browser. Databases are central to modern websites – they store data needed for websites to deliver specific content to visitors and render information to customers, suppliers, employees and a host of stakeholders. User credentials, financial and payment information, company statistics may all be resident within a database and accessed by legitimate users through off-the-shelf and custom web applications. Web applications and databases allow you to regularly run your business.

SQL Injection is the hacking technique which attempts to pass SQL commands (statements) through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view information from the database and/or even wipe it out.

Such features as login pages, support and product request forms, feedback forms, search pages, shopping carts and the general delivery of dynamic content, shape modern websites and provide businesses with the means necessary to communicate with prospects and customers. These website features are all examples of web applications which may be either purchased off-the-shelf or developed as bespoke programs.

Mitigation

  • Discovery and Assessment

Scan for Vulnerabilities: Understanding vulnerabilities that expose databases to SQL injection is essential. Malware may be looking to exploit known database vulnerabilities, making un-patched databases an easy target. Weak authentication rules can enable a DoS attack by granting access to a database without needing a password. Use vulnerability assessment tools to detect security vulnerabilities, misconfigurations, and missing vendor patches. Assessments should use industry best practices for
database security, such as DISA STIG and CIS benchmarks.

Calculate Risk Scores: Score risks based on the severity of vulnerabilities and the sensitivity of the data. Severity values should be based on known systems such as the Common Vulnerability Scoring System (CVSS). Risk scores help prioritize risk, manage, and research vulnerabilities. In this case, higher risk scores would relate to SQL injection.

Mitigate Vulnerabilities: If a vulnerability is discovered and the database vendor hasn’t released a patch, a virtual patching solution should be used. Applying virtual patches will block attempts to exploit vulnerabilities without requiring actual patches or changes to the current configuration of the server. Virtual patching will protect the database from exploit attempts until the patch is deployed. Again, focus on patching high-risk vulnerabilities that can facilitate DoS and SQL injection attack.

Monitoring and Blocking

Real-Time Alerting and Blocking: Monitor all database access activity and usage patterns in real time to detect data leakage, unauthorized SQL transactions, and protocol and system attacks. When attempts to access unauthorized data occur, generate alerts or terminate the user session. Use a solution that leverages policies – both pre-defined and custom – that inspect database traffic to identify patterns that correspond to known attacks, such as DoS attacks, and unauthorized activities. Security policies are useful for not only detecting excessive privilege abuse by malicious, compromised, or dormant users, but also for preventing most of the other top ten database threats.

Detect Unusual Access Activity: Establish a comprehensive profile of each database user’s normal activity. These baselines provide the basis for detecting DoS, malware, SQL injection, and anomalous activities. If any user initiates an action that does not fit their profile, log the event, generate an alert or block the user. Creating activity-based user profiles increases the likelihood of detecting inappropriate access to sensitive data.

Block Malicious Web Requests: Because Web applications are the most common vector for initiating a SQL injection attack; the first line of defense is to use a Web Application Firewall (WAF). A WAF will recognize and block SQL injection attack patterns that originate from Web applications.

To protect against SQL Injection attacks, a WAF should:

› Inspect HTTP parameter values for special characters like apostrophes and brackets and know whether these characters are expected or indicative of an attack.
› Use application signatures and policies of known SQL injection patterns to alert and block