Almost 17 Years of SQL Injection, Are We Done Yet?

“After having spent the last two weeks in Asia I find myself sitting in a hotel room in Tokyo pondering something. I delivered a few talks in Singapore and in Manila and was struck by the fact that we’re still talking about SQL injection as a problem”. - Dave Lewis, CSO Online, July 31, 2015

exploits_of_a_mom.png

The following story is based on an actual event.

A Chief Security Officer (CSO) called a junior InfoSec engineer (ENG) after 5PM.

CSO: “I am looking for your manager. Our main website was hacked…”

ENG: “He left already. No, I heard that people complaint the website was slow this afternoon. The web team is working on it”.

CSO: “I am telling you that our website was hacked! There are garbage records in the database behind the website. The DBAs are trying to clean up the database. We were hacked by SQL injection!”

ENG: “…”

CSO: Call your boss now! Ask him to turn around and go back to the office immediately!”

Several teams of that poor company spent the whole night to clean up the mess. They needed to restore the database to bring back the main website.

In my last Thwack Ambassador post, OMG! My Website Got Hacked!, I summarized the last four OWASP Top 10 lists since 2004. Injection in general, and SQL Injection in particular, was number 1 of the OWASP Top 10 in 2010 and 2013. I predict that SQL injection will still be number 1 in the upcoming report of the OWSAP Top 10 in 2016. Check out this list‌ of SQL injection incidents. Do you notice the increasing number of incidents in 2014 and 2015?

It’s another Christmas Day. emoticons_happy.png In Phrack Magazine issue 54, December 25, 1998, there was an article on “piggyback SQL commands”  written by Jeff Forristal under the pseudonym rain.forest.puppy. Folks, 1998 was the year at which SQL injection vulnerability was publicly mentioned, although the vulnerability had probably existed long before then. Almost 17 years have passed since Jeff Forristal wrote his article “ODBC and MS SQL server 6.5” in Phrack Magazine, and still many companies are hit hardly by the SQL injection attacks today.

If you want to know more about the technical details of the SQL injection, I recommend you read Troy Hunt’s "Everything you wanted to know about SQL injection (but were afraid to ask)"‌. Then you’ll appreciate the XKCD comic, Exploits of a Mom, that I included at the top of this post.

There are a few solutions to combat SQL injection; we may actually need all solutions combined to fight against SQL injection.

DATA SANITIZATION. Right. All user inputs to websites must be filtered. If you expect to receive a phone number in the input field, make sure you receive a phone number, nothing else.

SQL DEFENSES. As OWASP recommended, use parameterized statements, use stored procedures, escape all user supplied input, and enforce least database privilege. Don’t forget to log all database calls. And not the least, protect your database servers.

APPLICATION FIREWALL AND IPS. I agree that it’s not easy to customize security rules to fit your applications. But if you invest in AFW and/or IPS, they will be your first line of defense. Some vendors offer IDS-like, application behavioral model products to detect and block SQL injection attacks.

FINDING VULNERABILITIES AHEAD OF HACKERS. Perform constant security assessments and penetration testings to your web applications, both internal and internet-facing. Also, common sense wisdom: patch your web servers and database servers.

EDUCATION. EDUCATION. EDUCATION. Train your developers, DBAs, application owners, etc. to have a better understanding on information security. It will be beneficial to your company to train some white-hat hackers in different teams. Troy Hunt made a series of FREE videos for Pluralsight in 2013, Hack Yourself First: How to go on the Cyber-Offense. Troy made it clear in the Introduction that the series was for web developers. You don’t have to log in or register; just click on the orange play icons to launch the videos.

Do you have any story of SQL injection attack to share? You may not be able to share your own story, but you can share the stories you heard. Do you think that it’s hard to guard against SQL injection attacks and that’s why even many Fortune 500 companies still suffer from the treats? How do you protect your web applications and database servers from the SQL injection threats?

Thwack - Symbolize TM, R, and C