Industry sources state that between 2005 and 2011, 83% of successful hacking-related data breaches used SQL injection (SQLi). This is an attractive attack method because it’s easy and yields results for the hacker.
It’s easy because readily available tools, such as sqlmap and Havii, automate the detection and exploitation of SQL flaws and reduce the need for specialised hacking knowledge; databases using SQL are near universal, providing a target-rich environment; and poor coding is extremely prevalent, allowing the attack to succeed.
It yields results because a successful attack allows identity spoofing, tampering with existing data, the complete disclosure or destruction of data, and the escalation of access rights on the database and (possibly) the database server. Additionally, databases tend to contain the sort of information hackers can monetise or use, such as commercial, financial or personal data.
The Information Security Forum (ISF) and its members recognise the key to reducing vulnerability is development and testing.
When creating a database, one of three approaches to handling queries should be adopted.
Download in-depth resources on IT security
First, consider prepared statements in which all the SQL code is defined, allowing code and data to be distinguished, regardless of what user input is supplied.
Second, consider stored procedures in which the SQL code for a stored procedure is defined and stored in the database itself, and then called from the application.
Third, consider escaping all user supplied input, in which the database management system (DBMS) uses routines to check input against SQL code, thus reducing the SQL injection vulnerability. This third approach can be retrofitted to legacy applications.
Finally, test the application and its database thoroughly, including using attack tools, before promotion to the live environment or after any change, whether developed in-house or not. Once live, conduct regular testing to ensure the database is still secure, as SQL injection attacks are evolving and becoming more sophisticated.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).
This was first published in September 2012