SQL injection: still around, still a threat
This week saw more progress in the trial of a 17-year-old boy accused of hacking into a well-known telecoms provider. The teenager has admitted taking part in the October 2015 attack, which resulted in a breach of personal information from over 150,000 customers, including more than 15,000 sets of bank details. The method he used was SQL injection.
A breach like this is hugely damaging, even if the stolen customer details aren’t actually exploited following the attack. In addition to a mass exodus of existing customers, the brand involved has to deal with a crippling blow to its reputation, as well as any legal fallout.
The company that fell victim to this particular data theft was fined £400,000 by the Information Commissioner’s Office (ICO) earlier this year. The hefty penalty reflects what ICO views as a major security lapse and a serious risk to consumers, with Information Commissioner Elizabeth Denham highlighting a “failure to implement the most basic cyber security measures”.
The Information Commissioner went on: “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations”, pointing out that the firm “should and could have done more to safeguard its customer information”.
But if the consequences were so dire – and could have been so easily avoided – how was this breach allowed to happen? To add insult to injury, the type of vulnerability exploited in this attack is older than the attacker himself. SQL injection may be one of the oldest, easiest ways to hack a website, but that hasn’t stopped big names being caught out.
What is an SQL injection attack?
SQL injection involves the insertion of SQL code into a website, commonly through the web browser address bar, or via a login form or search box. The code is then executed against a database to fraudulently access information or modify existing data in various ways.
The common vulnerabilities exploited by SQL injection are caused by poor scripting, as well as insecure applications, templates and plugins. Only dynamic scripting languages such as ASP, ASP.NET, PHP, JSP and CGI are vulnerable to an SQL injection attack.
Once a hacker has access to the database, they can run any SQL command to view the contents and/or drop tables or even the whole database.
For example, if you have a search function on your website, you might have the following SQL query:
SELECT * FROM Products WHERE ProductName = $searchTerm
$searchTerm is the value of the search term entered by the website visitor. If the user enters ‘Bananas’ the SQL query executed will be:
SELECT * FROM Products WHERE ProductName = Bananas
This will return the expected results. However, if a malicious user enters ‘Bananas; DROP TABLE Products’ into the search field on the website, the SQL executed will be:
SELECT * FROM Products WHERE ProductName = Bananas; DROP TABLE Products
The first statement is as expected, but the second statement would immediately remove the Products table from the database.
Essentially, by inserting malicious code into the website, the hacker hijacks the database, allowing them to call up and/or tamper with data they normally wouldn’t be able to access.
Why are SQL injection attacks still so common?
The threat was identified as far back as 1998, and as one of the most common types of hacking, SQL injection is clearly understood today. So why are we still seeing complex, corporate websites getting hit?
One factor is the sheer proliferation of SQL injection, largely due to how easy it is to perform. SQL injection is how many aspiring hackers take their first steps into the world of online exploitation, with so-called ‘script kiddies’ using widely available tools for nefarious ends. In the case mentioned above, the attacker used a free SQL mapping tool (software with legitimate uses) to crawl URLs like a search engine and highlight vulnerable websites, ripe for SQL injection.
While simple fixes are available (see below), they still need to be implemented by a programmer with the necessary training and experience. Could it be there’s simply a shortage of developers with the right skills? Pressures and time constraints placed on many companies could also result in a tendency to focus on core functionality while neglecting critical security measures.
How can you prevent SQL injection attacks?
Prepared statements are one of the strongest defences against SQL injection. With prepared statements, SQL commands aren’t directly controlled by user input, because only pre-set database queries are allowed. Stored procedures can also be used to place stricter parameters on database queries.
It’s also important to use the correct privileges. For example, you should ensure your scripts don’t connect to your database using the database owner (DBO) user. If only read access is required by the scripts, they should connect as a database user that only has read permissions.
Finally, you need to ensure all third party scripts, such as WordPress, are kept up to date. In fact it’s highly recommended to have the latest versions of everything, including the database itself. At Fasthosts, we offer the latest MySQL and Microsoft SQL databases on our next-gen CloudNX server platform, including Microsoft SQL Server 2016.
For more details on SQL injection prevention: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
While SQL injection is still a very real threat, fortunately there are relatively simple security measures you can take to make your site far less vulnerable. With Fasthosts you have everything you need to ensure maximum security for your SQL database, and everything else.