How to Test for and Mitigate SQL Bugs

MOST RECENT POSTS

SQL injections are a malicious form of cyberattack in which hackers insert malicious code into database servers. SQL injections can take control of applications and compromise security measures. SQL injections are among the oldest, most common forms of web application cyberattack. 

In 2017, the Open Web Application Security Project (OWASP) named SQL injections as one of its top 10 web application security risks. In recent years, 7-11 and Hannaford Brothers Company were victims of SQL injection cyberattacks. Any organization that uses SQL databases, i.e. MySQL, Microsoft SQL Server or Oracle, etc., can have their websites or applications infected.

What Is the Potential Damage That SQL Injections Incur?

Hackers use SQL injections in order to gain unauthorized access to confidential or sensitive information, such as personally identifiable information (PII), intellectual property or trade secrets. Cybercriminals may also access usernames and passwords, gain administrative rights to IT systems and cause serious harm to an organization. In worst case scenarios, hackers may completely destroy a database.

State, federal and international agencies mandate compliance to cybersecurity regulations. In the event of a data breach, organizations face steep fines, sometimes to the tune of several millions of dollars. Not only is a company’s bottom line affected, it faces the risk of damages to its reputation, e.g. losing customer trust and confidence.

How SQL Injection Attacks Work

SQL’s standardized language enables users to interact with databases to view and manipulate data. With SQL, users can:

  • Retrieve and organize data
  • Conduct updates
  • Remove data records and more

SQL Injections target IT architecture where web site applications are networked to a back end database server. Users interact with SQL databases through commands and queries. For example, a user might conduct a product search based on relevant keywords they input. These keywords, e.g., “ADD,” “DELETE,” “CREATE TABLE,” and “INDEX,” drive SQL tasks.

SQL injections can happen if port 80 – ports associated with the internet and HTTP – is open. Hackers attempt to manipulate SQL queries wherever database vulnerabilities exist. These types of SQL exploits can occur whenever certain conditions aren’t met, such as when SQL queries occur without checking or validating the data. Examples include a lack of user input filter, stored procedure (data validation or access-control code that can be saved and reused), or bind parameters.

By nature, webpages receive user input including search terms, comments and inquiries, and usernames and passwords. Without validation or some other preventive measure, there is nothing blocking a hacker from injecting the malicious command or code.

Common SQL Injection Scenarios

First order SQL injection occurs when the malicious code has an immediate impact. Second order attacks occur when the malicious code is not immediately applied – rather, it is located and activated at a later time. Second order attacks are deceptive in that, once data passes through any filters, it is deemed clean and usable for future use.

The following SQL injection attack instances involve deceiving search engines and form authentications to compromise data or functionality:

Search Engine SQL Injection Attack

Term search is a common web page function, whereby users input related words or phrases, comments or inquiries, or login credentials. Without the use of filters, hackers are able to input code that enables them to interact maliciously, such as access and manipulate a table of client accounts. For example, a cybercriminal can inject SQL statements appended as part of a query.

Union Select SQL Injection Attack

In the UNION SELECT SQL injection, a hacker combines two unrelated SELECT strings – queries used to select data from a database – to draw data from two different database sets. This form of SQL injection attack can be particularly damaging, for example, if a hacker is looking to gain username and password credentials that are stored in two different locations.

Error Handling SQL Injection Attack

Whenever there is something amiss in an application, an error message will display with information about the application, network or database structure. Unfortunately, an attacker can use error handling to obtain privileged information about a database and exploit it in an SQL injection attack. Hackers can uncover system or application vulnerabilities by sending unsuitable inputs that create invalid SQL queries. The system may be configured to return an error message, which the cyberattacker can use to gain information that can help him or her to determine a plan of attack.

How to Detect SQL Injection Attacks

First it is important to know the points-of-entry for SQL injection attacks. The most common targets include search web pages, profile web pages, forms requiring authentication, e-commerce or financial account web pages, databases that utilize public API’s and Distributed Component Object Model (DCOM) methods and clients of database systems.

Identify and list all of the high-risk components that utilize SQL, table format is best. All web pages that take SQL statements as input should be listed. Be sure to include the following details:

  • Code hosting method
  • Query string name (where applicable)
  • Variable names that impact the query construction

Next identify the points-of-entry where SQL injection attacks can occur, i.e. how web pages receive their input. Entry points may be intended, where the program or application is expecting the input; and unintended, where the input is not expected. 

 Here you list how this page gets its input; what are its entry points.  Keep in mind that entry points can be both intended (expected by the program or application) and unintended (unexpected by program or application).  Example of SQL injection entry points URL bars, public API’s and network packets. You will then need to make sure that component data is not passed by any other method.

How to Protect Your Organization from SQL Injection Attacks

Install SQL injection detection

Your detection should be able to identify SQL injections with filters that look at the SQL commands that are being sent to your site. Your SQL injection attack detection should be able to pinpoint signs of evasion techniques, or when some kind of malicious command is being deployed. A good vulnerability scanner will be able to detect the most common web page intrusions.

Use parameterized stored procedures

You can use SQL parameters to prevent SQL injections attacks. SQL parameters set predefined conditions on certain types of input, and help to limit the output values to return only certain parts of entire set. SQL parameters, which include user-defined subroutines, help to control the variables involved in value “in and out” exchanges. Parameters can reduce the likelihood of SQL injection success considerably. If stored procedures is the only way users can access data, the control is overarching – permissions occur via the EXECUTE function and do not need to be granted on any single data table.

Install Web Application Firewalls

Deploy a Web Application Firewall (WAF) that is configured to detect block SQL Injection attacks. Set your WAF to inspect HTTP traffic for suspicious activity. While WAFs add a basic layer of protection, it is recommended to take added security precautions.

Validate and sanitize data

Conduct data validation and sanitization on all input, regardless of the source – including users, customers or derived from a cookie. Data should be safe, secure, plus validated for correct type, length and range. Content should only be accepted if all conditions are met. Little-to-no exceptions should be made.

Restrict access and administrative privileges

Administrators should restrict access to privileges at the server or data level. Hackers will have an extra level of security to bypass to conduct any invasive tasks. A good rule of thumb is to allow only the minimum amount of privileges with access to only the necessary resources for users to complete their tasks. 

Add an extra level of data encryption

Encryption adds an extra layer of security to your data. When administrators add encryption, they essentially encode the data so that it is scrambled and unreadable. The only way to decode the data is with an encryption key. One example of encryption is known as a salted hash. In a salted hash, IT administrators add a layer of random characters to data prior to calculating its hash. The hash function converts one value to another and is a way to identify the data. Salted hash helps to stave off hackers who attempt to compromise data using dictionary or brute force cyberattacks.

ThreatModeler is an automated tool that helps organizations to identify threats and secure their IT architecture and applications against them. ThreatModeler’s automated functionality helps IT managers to map out threats across their entire IT ecosystem. ThreatModeler can help your company to identify vulnerabilities that can lead to an SQL injection attack.

Mitigate SQL Injection Threats with ThreatModeler

ThreatModeler stays up-to-date with the latest forms of cyberattack, to defend their entire attack surface. To learn more about ThreatModeler’s out-of-the-box information security solution, request a free evaluation of the ThreatModeler platform or contact us to speak with an application threat modeling expert today.

Leave a Reply

You must be logged in to post a comment.