In recent years, SQL injection is the most common website vulnerability on the internet that takes advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. The article is based on “What is SQL Injection & How to Defend against SQL injection attacks”.
What is SQL injection ?
SQL injection is a technique which is used to inject malicious SQL queries through a web application for execution by a backend database. SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database. It is simply a flaw in web applications and not a database or web server issue.
SQL injection is broadly categorized as error based SQL injection and blind SQL injection.
What is the need of preventing SQL injection
SQL injection is the major issue and it can be used for the following –
Authentication Bypass : An attacker can bypass login form without providing valid username and password and gains administrative privileges.
Information Disclosure : An attacker can gather or dump sensitive information that is stored in the database.
Compromised Data Integrity : An attacker can deface a web page, insert malicious content or it can alter the contents of a database.
Compromised Availability of Data : Attacker uses this attack to delete the database information, delete logs etc.
Remote Code Execution : It assists an attacker to compromise the host OS.
How To Defend against SQL Injection Attacks
Major SQL injection countermeasures involve input data validation, error messages suppression or customization, proper DB access privilege management and isolation of database from underlying OS.
Following are the points through which the developer or tester has to keep in mind while developing or testing web applications-
- Avoid constructing dynamic SQL with concatenated input values.
- Ensure that the Web config files for each application do not contain sensitive information.
- Use most restrictive SQL account types for applications.
- Use network, host, and application intrusion detection systems to monitor the injection attacks.
- Perform automated blackbox injection testing, static source code analysis, and manual penetration testing to check for vulnerabilities.
- Keep untrusted data separate from commands and queries.
- Use safe API that offers a parameterized interface or that avoids the use of the interpreter completely.
- In the absense of parameterized API, use specific escape syntax for the interpreter to eliminate the special characters.
- Use a secure hash algorithm such as SHA256 to store the user passwords rather than in plaintext.
- Ensure that the code tracing and debug messages are removed prior to deploying an application.
- Apply least privilege rule to run the applications that access the DBMS.
- Design the code in such a way it traps and handles exceptions appropriately.
SQL Injection Detection Tools
There are many tools which can prevent SQL injection attacks. Some of them are –
1. IBM Security AppScan
IBM Security AppScan is tool used to scan and fix vulnerabilities in a web application like SQL injection, cross site scripting etc. It also supports scanning vulnerabilities in mobile applications. It allows us to improve security of web & mobile applications. IBM security AppScan is integrated with many features like identifying security risks, generate detailed reports and fix recommendations.
2. HP WebInspect
WebInspect is a web application security assessment tool that helps determine known and unknown vulnerabilities inside the web application layer. It may also facilitate certify a web server is configured properly, and makes an attempt common web attacks like parameter injection, cross-site scripting, directory traversal, and more. it was created by Spidynamics, that is currently a part of hp.
3. Acutenix Vulnerability Scanner
Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.
Do you want to write for TheHackerStuff ? If you have an interesting and intelligent topic you think we would like to publish, send it to firstname.lastname@example.org
Disclaimer This article is only for an Educational purpose. Any actions and or activities related to the material contained within this Website is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors and www.thehackerstuff.com will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
Akshay Sharma is a Cyber Security Analyst. He is a CCNA certified and owner of TheHackerStuff.