With so many modern-day applications driven by data and easily accessible via the web, SQL injection vulnerabilities have become widespread and exploited simply by criminals.
In the first quarter of 2019 alone, the UKFast Threat Monitoring service detected nearly 30,000 SQL injection attempts on our clients’ servers. On a global scale, this type of cyber-attack affects millions of organisations every single day.
Any data-driven applications employing an SQL database are potential targets, so what can you do to protect them?
Hackers craft a malicious SQL statement into input fields for execution by the underlying SQL database. This then causes the application to perform the action written in the malicious code.
This type of attack is caused by improper coding of vulnerable web applications. These flaws arise because entry fields made available for user input unexpectedly allow SQL statements to go through and query the database directly.
Often carried out with the aim of stealing personally identifiable information (PII), an SQL injection attack can have several devastating consequences. These include:
So, with so much at stake, what can you do to protect your website and applications from SQL injection attacks?
Parameterised statements are dynamic, allow for faster execution and are the number one way to prevent SQL injection attacks.
Utilise parameterised database queries with bound, typed parameters and careful use of parameterised stored procedures in the database.
This ensures that the statements inputted into your SQL database are safe. The string and parameters are passed to the database separately (allowing the database driver to correctly interpret them) so your code isn’t vulnerable to attack.
This can be accomplished in a variety of programming languages including Java, .NET and PHP.
Want to know more about how to protect against web-based attacks this Black Friday, Cyber Monday and Christmas? Sign up for our FREE webinar now and get expert advice from a panel of security specialists.
A WAF has thousands of rulesets which cover several common application-layer attacks including SQL injection. As a first layer of defence, using a WAF means that even if your code does contain some weak links, you’re still giving your web apps effective protection from SQL injection attempts.
Hackers are constantly probing the internet and websites for flaws in their code. Tools that automate the discovery of SQL injection flaws, and exploit them, allow for quicker return on investment for cybercriminals and increased chances of success.
Specialised vulnerability scans dedicated to SQL injection will help you to detect SQL injection flaws and related web vulnerabilities. Combine with a service such as Threat Monitoring to proactively monitor network activity and detect a wider range of vulnerabilities in your systems.
Vulnerability scanning on the whole will help you to keep all web application software components including libraries, plug-ins, frameworks, web server software and database server software up to date. Ensure you keep up with the latest security patches available from vendors.
An Object Relational Mapping (ORM) framework can be written in a number of different programming languages and is designed to virtually wrap around a database such as your SQL database.
The framework won’t give you immunity to SQL injections but does allow you to construct SQL queries in a language that you know and are comfortable with. This makes the process simpler and leaves less room for errors in the code which may be exploited. Its range of prebuilt features can also bolster security – for example, using SQLAlchemy (a toolkit for python) – and uses parameterised statements as standard.
If your database does get compromised, employing the basis of least privilege stops the attacker from accessing other parts of the network.
Utilise the principle of least privilege when provisioning accounts used to connect to the SQL database. For example, if a website only needs to retrieve web content from a database using SELECT statements, do not give the site’s database connection credentials other privileges such as INSERT, UPDATE or DELETE privileges.
In many cases, these privileges can be managed using appropriate database roles for accounts. Never allow your web application to connect to the database with administrator privileges. Do not use shared database accounts between different web sites or applications.
If you do encounter an SQL injection attack, password hashing will also prove imperative to minimise the damage as all passwords will be unreadable.
Storing any unencrypted passwords within your organisation is a major security flaw in itself. Applications should store user passwords as strong, one-way hashes, preferably salted. This mitigates the risk of malicious users stealing credentials, or impersonating other users.
Want to know more about how you can protect against web-based attacks this Black Friday, Cyber Monday and Christmas?
Sign up for our FREE webinar now and get expert advice from a panel of security specialists.