Risk
11/2/2009
01:14 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Thwarting SQL Injection Threats

New Dark Reading report explores what database developers and database administrators can do about the pervasive SQL injection attack

[Excerpted from "SQL Injection: A Major Threat to Data Security", a new report published today in Dark Reading's Database Security Tech Center.]

Every time you turn around these days, it seems there's news of yet another wide-scale attack perpetrated through SQL injection. Forensics have proven that the biggest breaches of the last several years—Heartland Payment Systems, Hannaford Brothers, and even TJX—were all made possible through blended attacks. And yet many IT experts within the enterprise aren't even aware of how pervasive these attacks truly are nor what to do about them, according to "SQL Injection: A Major Threat to Data Security" a new report published today by Dark Reading.

At its root, the basic SQL injection technique is made possible by the fact that the mushrooming number of new applications hitting the Web today touch some sort of database in order to offer users easy access to information.

In any typical front-end application, there is usually a means to interact with the database via some sort of search box. When users enter their search term into that box, the middleware essentially stuffs that term into a query that is run against the database in order to pull up the requested information from a particular category in the data store.

But if a knowledgeable malcontent writes certain SQL commands within that front-end search box, he or she often gets the middleware application to perform a completely different query against the database in order to gain far more access to information and to the database itself than the developer ever intended. Instead of a product search, for instance, an attacker could potentially get the application to retrieve credit card information stored within the database.

"That's the really basic idea of SQL injection, it's just typing stuff into the Web app and actually getting it to execute against the database," says Josh Shaul, vice president of product management for Application Security Inc., a database security company.

But hackers have actually managed to refine that very basic idea into quite sophisticated attacks. One of the most common is the automated mass injection. In these cases, hackers are writing automated crawler programs to search for Web applications vulnerable to simple SQL injection and then to install Java script redirectors into the databases behind public Websites.

"Basically, what these people are doing is they're trying to use legitimate Websites in order to attack innocent victims," says Tom Cross, a vulnerability researcher for IBM ISS X-Force.

These types of attacks actually make up the most in the growing volume of SQL injection attacks on the network today—a number that has skyrocketed over the past year. The number of daily SQL injections jumped by 50 percent from Q4 of 2008 to Q1 of 2009 and then nearly doubled during Q2 of 2009, according to IBM ISS X-Force research.

But perhaps even more troubling are the type of targeted SQL injection attacks that criminals are using to loot corporate data stores. In cases such as the Heartland Payment Systems breach, attackers use SQL injection as a foothold into a database server, from which they can launch other attacks deeper into better-protected network systems.

In order to protect against both mass injections and targeted attacks, organizations need to take a multifaceted approach, says Michael Howard, principal security program manager at Microsoft. "It's a combination of reducing attack surface, solid database administration and maintenance, as well as good, secure coding practices," Howard says.

On the coding side of the house, developers need to understand that they must filter SQL statements out of the input so that middleware does not send them to the database.

"If the application isn't doing that effectively, the database itself can't differentiate between SQL statements that are being issued by the application and SQL statements that are being issued by the attacker," Cross says.

For applications that already exist and may have vulnerabilities, Web application firewalls can help mitigate risks. But DBAs need appropriate layers of back-end security to add to the front-end Web application firewall. This means providing themselves with the visibility of monitoring tools to see how and when the application is accessing the database in order to perform forensics analysis and prevent future attacks once they see evidence of on-going malfeasance.

DBAs need to follow a number of other best practices, including patching their databasese properly, limiting functionality to only what is needed, and better managing passwords.

"Even the DBA can make a difference in terms of whether they're utilizing best practices in setting access controls," says Philip Lieberman, CEO of Lieberman Software, an account and password management firm. "The DBAs are really the core of this because they're really the protectors of the database."

To download the full text of the new Dark Reading report, click here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5316
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.

CVE-2014-5320
Published: 2014-09-21
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.

CVE-2014-5321
Published: 2014-09-21
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319...

CVE-2014-5322
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.

CVE-2014-6602
Published: 2014-09-21
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.

Best of the Web
Dark Reading Radio