When you think of web security threats, which type of threats/attacks first come to your mind? Phishing? OK. Brute-force attacks? Fine. Request forgery? OK, all of them are popular and quite threatening in nature. But does your mind come across SQL Injection? If not, then you’re missing the whole picture. We can say this with quite confidence because SQL Injection attacks – also known as SQLI – are the worst kind of attacks that any business can face, and despite their history of many decades they still continue to be very effective in modern environments. If you’re not concerned about them, then you’re not concerned about a major problem. But don’t worry – we’re going to tell you everything about them in this article, and also how can you protect your business from them. Let’s begin.
Structure Query Language (SQL): What is it?
Before we can understand the SQL Injection attacks, we need to understand what SQL is. Structure Query Language, or SQL as it’s popularly known, is a language that is used to perform the command and control operations on relational databases. Examples of such databases include Microsoft SQL Server, Oracle and MySQL. SQL is used to write data to these databases, and also to read data from the databases whenever needed. You’ll understand this better with help of example given in the next section.
SQL Injection Attack : What is it and how is it done?
A SQL Injection attack is done by inserting a SQL code to the database through any of the input forms on your site or application. For example, someone may insert a code in the username and password fields of your login page to extract some information from the database that should not be displayed. In order to understand SQL injection attacks properly you’ll first of all have to understand how SQL works. That is, how data is written to the database and how is it read from the database with help of SQL. So here’s an example of how details of a user are added to the database when he/she creates a new user account:
|INSERT INTO Users (FirstName, LastName, EmailAddress, Username, Password)|
|Values (‘Ashish’, ‘Bhatnagar’, ‘[email protected]’, ‘ashish123’, ‘AshishB_Password’)|
That is a simple example of how some data is written to the database. Now let’s see how is it extracted (or read) from the database. When a user tries logging in with their credentials, here’s how they’re sent to the database for being matched:
|SELECT * FROM Users|
|WHERE Username = ‘ashish123’ AND Password = ‘AshishB_Password’|
If a user account matching the credentials is found in database, the user is successfully logged in. However, if username and password entered doesn’t match the values of any user account in database, an error is returned.
Now, a SQL injection attack can be performed by inserting SQL code to the database with help of this same login form. For instance, an attacker may insert some code to the username field that returns the usernames and even passwords of all users in plain text format. Those usernames and passwords may then be used to compromise the whole site.
The Threats of a SQL Injection Attack
A SQL Injection attack, if successful, can be very threatening for your business because the attacker can get complete access to your site. Some of the things that an attacker can accomplish with them include:
- Stealing the login credentials of your user account;
- Creating new user account(s);
- Reading sensitive data from your database;
- Executing administrative functions on the database (i.e. modifying, shutting down the DBMS, and even deleting the whole database);
You can imagine the gravity of situation if any of these actions is performed on the database of your site/application. The damage done by such actions can be irreversible in some cases.
Steps to protect your business against SQL injection attack
Now when you know about SQL Injection attack and how threatening it can be for your organization, it’s time to understand how to protect your system from SQL Injection Attacks. Here are some simple steps you can follow to protect your business from this nasty surprise:
#1 : Patch your databases regularly
Not keeping databases patched on a regular basis is a major reason behind successful execution of SQL injection attacks. Just like your web applications, your firewall and other parts of your server configuration, Database Management Systems also require to be patched after regular intervals to ensure their security against known vulnerabilities. The best way to ensure regular patching of your databases is to automate the process through a reliable patch management system.
#2 : Use prepared statements while coding
Prepared statements – or pre-motorized statements, as they are known – are a feature provided by major programming languages to communicate with the database. They exist in all modern programming languages that you can imagine:C#, Java, PHP and so on. The main purpose of these statements is to maximize the efficiency of query execution and data extraction from the database by setting a predefined template for the queries of one particular nature, so that similar queries can be executed every time simply by changing the values supplied. However, prepared statements also protect against SQL injection, because the data entered through web input forms can not have the standard template that you’ve defined for extracting the data of that particular type in your code.
#3 : Protect your business website with SSL certificate
Although it doesn’t protect you against SQL injection per site, the importance of an SSL certificate can’t be underestimated in the security of your website. In the absence of a reliable multi domain SSL certificate you may still face the same fate that you would face in case of a SQL injection attack, because your username and password may be stolen as you login with help of a packet sniffing attack. Even if your login credentials are not stolen because you’re tech savvy, the credentials of your users who are not as tech savvy as you may certainly be stolen either by packet sniffing or by phishing. So don’t forget to protect your site with an SSL certificate too while ensuring the implementation of above given steps.
#4 : Monitor your network activity
The attacks on a website don’t come all of a sudden. They almost always come with a trail of attempts that were made by the attacker to somehow get into the system. For instance, if someone is trying to get into your database by SQL injection attack, there will be some failed attempts before he successfully manages to crack in. If you monitor your server’s network activity on a regular basis, you may find those failed attempts, which can alert you regarding a possible attack coming your way in near future. And as you can imagine, if you’re aware of the threat coming your way then you can prepare for it well in advance, thus minimizing your damage.
#5 : Replace specific errors with generic errors
Showing error messages that are too specific in nature is also a suicide in itself. For example, if someone enters a wrong username/password combination and the error message on your site tells “password is incorrect”; it’s enough to give an idea to the attacker that the username is correct, he only needs to find out the password through some mischievous trick. On the other hand, if error message states “wrong username-password combination” then the attacker can’t figure out which of the two values doesn’t exist in the database. So pay attention to your error messages and see if they’re too specific in nature.
#6 : Use web application firewall
Modern web application firewalls come with the ability of identifying SQL injection attempts being made by someone on your site. And once they realize it, they thwart those attempts either by blocking the IP address making such attempts or by taking some other steps as configured by you. That’s not all – they also protect you against Cross-site scripting (XSS), request forgery, viruses and a number of other threats. So always choose a web application firewall to ensure the security of your database against SQL injection.
We hope you now understand everything about SQL Injection attacks with enough clarity. The 5 steps given above can also go a long way in protecting your business against these attacks. In short, you’re armed with enough information now to shield your business against these attacks. So just check your server to ensure that each of these measures are put in place properly. And if you still have any questions, feel free to share them in the comments.