cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Almost 17 Years of SQL Injection, Are We Done Yet?

Level 12

“After having spent the last two weeks in Asia I find myself sitting in a hotel room in Tokyo pondering something. I delivered a few talks in Singapore and in Manila and was struck by the fact that we’re still talking about SQL injection as a problem”. - Dave Lewis, CSO Online, July 31, 2015

exploits_of_a_mom.png

The following story is based on an actual event.

A Chief Security Officer (CSO) called a junior InfoSec engineer (ENG) after 5PM.

CSO: “I am looking for your manager. Our main website was hacked…”

ENG: “He left already. No, I heard that people complaint the website was slow this afternoon. The web team is working on it”.

CSO: “I am telling you that our website was hacked! There are garbage records in the database behind the website. The DBAs are trying to clean up the database. We were hacked by SQL injection!”

ENG: “…”

CSO: Call your boss now! Ask him to turn around and go back to the office immediately!”

Several teams of that poor company spent the whole night to clean up the mess. They needed to restore the database to bring back the main website.

In my last Thwack Ambassador post, OMG! My Website Got Hacked!, I summarized the last four OWASP Top 10 lists since 2004. Injection in general, and SQL Injection in particular, was number 1 of the OWASP Top 10 in 2010 and 2013. I predict that SQL injection will still be number 1 in the upcoming report of the OWSAP Top 10 in 2016. Check out this list‌ of SQL injection incidents. Do you notice the increasing number of incidents in 2014 and 2015?

It’s another Christmas Day. In Phrack Magazine issue 54, December 25, 1998, there was an article on “piggyback SQL commands”  written by Jeff Forristal under the pseudonym rain.forest.puppy. Folks, 1998 was the year at which SQL injection vulnerability was publicly mentioned, although the vulnerability had probably existed long before then. Almost 17 years have passed since Jeff Forristal wrote his article “ODBC and MS SQL server 6.5” in Phrack Magazine, and still many companies are hit hardly by the SQL injection attacks today.

If you want to know more about the technical details of the SQL injection, I recommend you read Troy Hunt’s "Everything you wanted to know about SQL injection (but were afraid to ask)"‌. Then you’ll appreciate the XKCD comic, Exploits of a Mom, that I included at the top of this post.

There are a few solutions to combat SQL injection; we may actually need all solutions combined to fight against SQL injection.

DATA SANITIZATION. Right. All user inputs to websites must be filtered. If you expect to receive a phone number in the input field, make sure you receive a phone number, nothing else.

SQL DEFENSES. As OWASP recommended, use parameterized statements, use stored procedures, escape all user supplied input, and enforce least database privilege. Don’t forget to log all database calls. And not the least, protect your database servers.

APPLICATION FIREWALL AND IPS. I agree that it’s not easy to customize security rules to fit your applications. But if you invest in AFW and/or IPS, they will be your first line of defense. Some vendors offer IDS-like, application behavioral model products to detect and block SQL injection attacks.

FINDING VULNERABILITIES AHEAD OF HACKERS. Perform constant security assessments and penetration testings to your web applications, both internal and internet-facing. Also, common sense wisdom: patch your web servers and database servers.

EDUCATION. EDUCATION. EDUCATION. Train your developers, DBAs, application owners, etc. to have a better understanding on information security. It will be beneficial to your company to train some white-hat hackers in different teams. Troy Hunt made a series of FREE videos for Pluralsight in 2013, Hack Yourself First: How to go on the Cyber-Offense. Troy made it clear in the Introduction that the series was for web developers. You don’t have to log in or register; just click on the orange play icons to launch the videos.

Do you have any story of SQL injection attack to share? You may not be able to share your own story, but you can share the stories you heard. Do you think that it’s hard to guard against SQL injection attacks and that’s why even many Fortune 500 companies still suffer from the treats? How do you protect your web applications and database servers from the SQL injection threats?

11 Comments
MVP
MVP

Wow...data sanitization, that was one of the things they harped on in my pascal programming class back in '84.  You had to be sure you had valid input, you know the old axiom, "Garbage in, Garbage out"...still holds true today.

The idea of white-hat hackers on different teams seems like a good idea...each team will have different perspectives and it should allow you to have better overall coverage.

Level 17

Jfrazier‌ couldn't be more correct with "Garbage in, Garbage out"  - very nice detail here, and great points of learning and history.

Level 17

beef.jpb.jpg

MVP
MVP

cahunt  it needs bacon...

People still see systems scanned every day for SQL>>>>....because sometimes they find a foolish fool.

RT

Level 12

nice way.....

Product Manager
Product Manager

I think the only thing I'd add is patching applications and servers. Some SQLi vulnerabilities lurk in your applications, frameworks, and underlying web services that can be fixed with patches. Now, THOSE vendors should ALSO be using better practices, but maybe we can reduce the funnel to a trickle (ideally not even that) by employing all of these techniques together

Level 12

Security should be part of the fundamental design of a product, custom application, web site, etc.  When security becomes an afterthought, or something you tack on at the end, there will always be security issues such as SQL injections.

Level 8

Troy Hunt made a series of FREE videos for Pluralsight in 2013, Hack Yourself First: How to go on the Cyber-Offense. Very nice videos the Supercar Showdown ‌ is still up and it seams like a fun coarse to take if your interested in how SQL injection works at a granular level. I like this post I was interested enough to go to the various links and read further. Thx for the info.

MVP
MVP

jangliss

Yes, and I am sure whoever you are buying the product(s) from will, conveniently, have an additional option you can add on, and buy, to accommodate your security concerns... lol...

Level 21

Also in the vein of security, having some type of Log Management and Change Detection to be able to identify undesired types of activity associated with both the front-end web application and the database.

About the Author
CCIE Data Center #46006. I am passionate IT professional who splits the work hours as a Datacenter Architect and a Network Security Specialist. Yes, I enjoy this double personality professional life.