Almost every week, we hear about a new data breach in the news that reports about a major company losing millions of usernames, passwords, credit card numbers, banking transactions after falling victims to a cyber attack. As per a recent report released by Imperva on Web Application attacks, SQL Injection (SQLi) saw the biggest rise compared to last year with a typical application suffering three times more SQLi attacks. SQL injection allows an attacker to feed malicious commands to a database via a poorly designed web application form or input box to extract sensitive data. Open Web Application Security Project (OWASP) Top 10 consists of a collection of web application vulnerabilities that are updated every three years to keep pace with current web application technology and threat vectors. SQLi attacks are unfortunately very common and stay in the number one spot in the OWASP Top 10. It was originally discovered and discussed publicly during 1998. This is one reason why it can be called ancient. Although SQLi flaws are always considered to be an easily fixable problem in application security, they've been neglected or unnoticed by many web developers. The issue is with the rising number of SQL injection attacks. Manual SQLi attacks are time-consuming and can lead to scenarios where the attacker repeatedly intercept packets and sends different SQL payloads – most hackers prefer automated tools to carry out SQLi attacks that scan the application for SQLi vulnerabilities. You also don’t have to be a coder to run these automated tools; it only requires few set of commands to initiate the attack on the target site.This is one reason why many "script kiddies" go for automated SQLi tools. The recent TalkTalk hack was a result of DDoS attack that enabled the attackers (teenagers) to utilize SQL injection techniques to extract data. Similarly, the VTech hack in which data of 6.4 million kids were exposed, was a result of SQLi attack on the VTech’s system as reported by MotherBoard.
Do Not Blindly Trust User Input
A report released by Veracode on State of Software Security analyzed various programming languages and security bugs. It was found that PHP, Classic ASP and Cold Fusion were the riskiest languages, while Java and .NET were comparatively safer. Furthermore, 56 percent of applications written in PHP were observed to have at least one SQLi vulnerability. Now, why does this continue to be the case? SQLi has been a result of improper coding, which results in user data entering the query context instead of the data context. One should remember that the user input in any webpage is not always from a truster user; there is a high probability of an attacker crafting a malicious input. Possible solutions to SQLi vulnerabilities can include the usage of Parameterized Query or Input Sanitization to remove any malicious input or special characters that might change the meaning of the SQL query. Recently, Softpedia reported about a SQLi vulnerability in the Cardio Server ECG Management web application, which was used by doctors and other staff to review patient history and create patient reports. It was also vulnerable to LDAP injection attacks. In another recent attack reported by The Guardian, hackers leaked private login details of officials at the Paris Climate Summit, as a result of a SQLi attack. We can keep going with examples of other hacking incidents related to this particular injection vulnerability, but what do you think about SQLi? Is this vulnerability going to stay for a while on the web? SQLi and its related data breaches will remain for awhile. This is because security is often an after thought in software development lifecycle. For now, let’s hope web developers and website admins notice the dangers of lax security on web applications resulting in cyber attacks, such as SQLi, and mitigate the vulnerability as soon as possible.
About the Author: Ashiq JA (@AshiqJA) is a cyber security consultant and security writer with solid experience in the security field and expertise in risk management for banking applications, vulnerability management, security audits and assessments, security policies and procedures, risk mitigation, application penetration testing and secure software development. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
