Security 101: What is SQL Injection?

Last year, tech giant Yahoo! Inc. fell victim to a cyberattack. But unlike other high-profile attacks, the culprit wasn’t an APT or sophisticated threat sourced to a nation state. The weapon of choice was a simple SQL injection. According to reports, the miscreants targeted a vulnerability in a Yahoo! Web application some was thought to be associated with the company’s VoIP phone service, Yahoo! Voices.

SQL injection attacks remain some of the most widely used cyberweapons for one main reason: They work.

A Structured Query Language (SQL) injection exploits Web application security vulnerabilities at the database layer, allowing attackers to inject their own SQL commands to create, access, manipulate and delete sensitive data.

SQL injection attacks are second only to password exploitation as the tool of choice by global hacker collectives Anonymous and LulzSec. Why? Vulnerabilities found within SQL databases are abundant, which gives attackers an open playing field and almost guaranteed returns for their efforts.

The vulnerabilities - and subsequent attacks - occur in target-rich databases replete with customer information, intellectual property and application data that represent lucrative jackpots.

SQL injection attacks are easy to execute and well-documented on numerous hacker forums, which lower their barrier-to-entry.

In short, SQL vulnerabilities represent the desirable “low-hanging fruit” that opens the door to destructive and costly assaults. But unlike others, SQL injections aren’t executed only to swipe sensitive information - they’re leveraged to bypass login requirements, access and read critical/classified data, recover content, shut down servers, manipulate and deface Websites, and in some cases, issue commands to the operating system.

SQL injection attacks vary in their destructive capabilities. While some exploits request one password at a time (as with normal SQL injection) or letter by letter (as with a Blind SQL injection), others - such as Union Based attacks - request hundreds of passwords at once, allowing cybercriminals to lift massive amounts of data in a short time. Such was the attack that toppled Yahoo’s servers.

How does one steer clear of such attacks? Organizations need to sanitize their data, which means all user data must be filtered to allow only the characters relevant to the desired function (e.g. email addresses should be filtered to only allow characters in an email address).

It’s imperative organizations rely on a comprehensive Web application firewall, bolstered with a robust set of SQL injection defenses to enforce a consistent set of rules that detect and effectively block malicious Web requests.

Staying on top of authorizations and limiting privileges by creating multiple user accounts with just enough permissions for employees to do their jobs is also key. Login page code, for example, should query the database from an account relegated to bare-minimum credentials. If an attack were to occur, hackers wouldn’t be able to compromise an entire database.

Source: FORTINET Blog