The acronym SQL (pronounced SEQUEL) stands for Structured Query Language, a language for querying and editing information stored in a certain database management system. SQL was developed in the early 1970s by some people working for IBM. Short after that, in 1979, a company called Relational Software, which later became Oracle Corporation, released its own modified version of SQL. Today, SQL is used in many products, including Microsoft’s SQL server.
Introducing SQL Injection
SQL injection has been all over the place for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. The most horrible news about this vulnerability is that OWSAP treating as the number one vulnerability in ranking of “OWASP top 10” for the last 10 years and present too. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run.
From the attacker point of view, vulnerability to SQL injections is very easy to sense. Visiting a suspect site and getting it to generate error message can indicate a potential vulnerability to this type of attack. In addition, the availability of automated and effective tools has increased, setting the bar even lower for successful execution of the attack. Finally, this type of attack is very attractive for an attacker to perform because of the value of the information that can be obtained. Information, especially personal information, can be sold on the black market for considerable amounts of money depending on what it is.
SQL Attacks in Action
In 2011, Sony Corporation was the target of a SQL injection that compromised a multitude of account (estimated to be over one million emails, username, and passwords). The attack was the results of a known vulnerability that could have been discovered through pen testing.
In 2013, the U.S. Department of Energy (DoE) and the U.S Army also found themselves victims of SQL injection. The FBI revealed that a minimum of 100,000 records, including social security numbers of current and former federal employees, were compromised. In addition, 2,800 of the records obtained included bank account numbers.
When examined this attack, the FBI revealed that not only the DoE and the army were impacted NASA, the U.S missile Defense Agency, and the Environmental projection Agency were also affected. Details of these attacks have not been fully released as of this writing.
SQL injection is accomplished through the insertion of character into existing SQL commands with the intention of altering the projected behavior. The Following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.
In the following example, and attacker with the username link inserts their name after the = sign following WHERE owner, which used to include the string ‘name’; DELETE FROM items; — for itemName, into an existing SQL commands, and the query becomes the following two queries:
SELECT * FROM items
WHERE owner = ‘link’
AND itemname = ‘name’;
DELETE FROM items;–
Many of the common database products such as Microsoft’s SQL server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once, This technique, Known as batch execution, allows an attacker to execute multiple arbitrary commands against a database, in other database, this technique will generate an error and fail, so knowing the database you are attacking is essential.
If an attacker enter the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following three valid statements will be created:
SELECT * FROM items
WHERE owner = ‘link’
AND itemname = ‘name’;
DELETE FROM items;
SELECT * FROM items WHERE ‘a’ = ‘a’;
A few step to prevent SQL injection attack is to use input validation, which ensures that only approved character are accepted. Use whitelists, which dictate safe characters and blacklists, which unsafe character. And also conduct Vulnerability Assessment and penetration testing by Internal/External IT/cyber Security team or by cyber security service Provider Company for ensuring that there is no presence SQL injection related vulnerability in the web application and website, mistakenly. The internal IT/ cyber security team can use AppSpider, Accunetix, brupsuite and Metasploit pro for the Vulnerability Assessment and penetration testing purpose.
Results of SQL Injection
What can be accomplished as a result of a SQL injection attack? Well, there are a huge number of possibilities, which are limited only by the configuration of the system and the skill of the attacker.
If an attacker is successful, a host of problems could result. Consider the following simple of the potential outcomes:
Don’t forget one of the most valued pieces of information that can be obtained through a SQL injection, personally identifiable information (Pll). Disclosure of Pll is a massive problem when it occurs, and therefore it should never be taken lightly. Be aware of what you are storing in the database and its sensitivity. Store only those things that need to be stored and nothing else. For example, if you don’t have a reason to store credit card data, don’t! If you don’t have a reason to ask for social security numbers, don’t! storing this information places huge amounts of responsibility and liability on your shoulders should you lose control of it to an unauthorized third party.
Stay cautious, stay safe.