• Experts Explain: SQL Injection

    Website security is an arms race. Malicious hackers modify their methods constantly to infect benign and legitimate websites with web-malware. One of the most common techniques used to compromise millions of websites is called SQL Injection.

    SQL injection attacks have been making headlines increasingly in the past few months. This highlights the sorry state of security practices and poorly implemented websites. In this article we will delve into detail about SQL injection, how to identify vulnerabilities, how to stop them from being exploited and more.

    What is SQL?
    SQL is an abbreviation for Structured Query Language. SQL is a computer programming language that is used to interact with software called databases. These databases are containers of information. The information can range from home addresses, usernames and passwords to social security numbers, entire movies and more.

    Why do we need SQL?
    Programmers and software need to use SQL in order to interact with information stored in databases. SQL is a standardized way to ask questions and retrieve results from a database.

    SQL also allows for questions (also called queries) asked of a database to be optimized in a manner that speeds up their processing and provides the answer faster. Thereby, SQL is a very important tool for interacting with data storage systems, like databases, if you would want to store or retrieve information easily, reliably and quickly.

    Why does my website use SQL?
    SQL allows a website to become “dynamic.” A website no longer needs to be a collection of “static” webpages. SQL allows webpages to store and display user information such as: usernames, passwords, addresses, credit card numbers and much more.

    Visitors can now not only read information on the webpages, but can also interact with the website by storing information about themselves. This information stored in databases can be used to provide a customized experience for the website visitors. A good example of the functionality a website gains by the use of SQL and databases, is allowing users to create a personal account on the website, like Google or Facebook.

    What is a code injection attack?
    A code injection attack is basically an unwanted request for a website to run malicious computer code. These attacks succeed by exploiting weaknesses in the software that is powering the website or by other means, such as compromised passwords (FTP).

    This kind of an attack usually starts when a malicious hacker identifies a weakness in the way a website handles user input and exploits that weakness to run malicious computer code, in order to infect (maliciously change content) the web pages on the website. This could allow the malicious hacker to (1) steal information from the compromised website (2) infect the visitor viewing the compromised website and more.

    What vulnerabilities lead to SQL Injection attacks?
    There are many reasons why an SQL Injection attack becomes successful. One of the primary reasons is that website developers often forget that they should never trust user input. Forgetting this rule of thumb has severe consequences.

    SQL injection attacks primarily succeed when the programs powering website forms (a form is any area on a website that accepts user input, like a username and password box) use the data provided by the visitor directly in their SQL queries to a database. This is dangerous.

    Malicious hackers can exploit mistake, “injecting” malicious input, unexpected by the computer code powering the website, to change the SQL query into a malicious one that may request valuable or sensitive information from the database instead of what the original author intended.

    An example of SQL Injection
    Consider the relatively recent spate of attacks on millions of websites that led to the injection of the following code:

    <script src="hxxp://lilupophilupop.com/
    

    Is your site vulnerable to SQL injection?
    There are many ways to check if your website is vulnerable to SQL Injection.

    1. Determine if the code powering your website takes user input directly to create an SQL query. If so, you should modify this behavior immediately.
    2. Find out if the software that powers your website is out of date. If it is, apply all recommended patches or upgrade to the latest version of the software.
    3. Find out if the third party plugins that your website uses, for example those used to dynamically resize images etc., have SQL injection vulnerabilities.
    4. Conduct a vulnerability assessment scan of your website to find additional SQL Injection vulnerabilities. Fix any you find as soon as possible.

    Protect your site from SQL injection
    You can protect your website from SQL Injection attacks by taking the following precautions:

    1. Make sure that the software powering your website does not trust user input blindly. If you wrote it yourself, you need to sanitize user input and never use this input directly to form SQL statements or query a database.
    2. Make sure all application software like WordPress, CMSs, and third party plugins are updated to the latest version and are fully patched.
    3. Make sure you identify all SQL injection vulnerabilities on your website using vulnerability scans.
    4. Use a Web Application Firewall (WAF) and a network firewall to prevent malicious access to the website.

    Conclusion
    SQL injection is a popular vector for malicious hackers to exploit and infect websites. We have seen what SQL injection is, how it is used by hackers and how to protect your website.

    StopTheHacker.com customers have access to resources that protect against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.