Monday, 12 August 2013

Everything you ever needed to know about SQL Injection

When a corporation’s website is attacked, and sensitive data is leaked onto the internet, the full details of what actually occurred are rarely disclosed.
The media doesn’t report what vulnerability was exploited by the hackers; they prefer to talk about the financial damage inflicted and to link the attack to a notorious hacker group such as Anonymous, all in an attempt to sensationalise the story. That’s OK for everyday consumption, but we should be trying to better educate today’s web designers and computer users about such vulnerabilities so that they do not fall victim to these types of attack.
The purpose of this article is twofold. First, I want to explain SQL Injection, one of the most commonly exploited vulnerabilities found in web applications and second, I will outline possible steps which you can take to ensure that your website is protected from SQL Injection attacks.
What is SQL Injection?
SQL Injection is a process often used by hackers attacking a website’s database. Hackers are able to exploit security vulnerabilities within a website that allows the attacker to input malicious SQL code, which can be used to reveal and damage sensitive data held within the website’s database. These vulnerabilities can occur for several reasons, the most common of which is, in my experience, a lack of proper filtering in relation to user input. In other words, it arises because the website is not properly filtering what the user is attempting to input.
If a website contains vulnerabilities that allow a user to inject SQL code, and thereby manipulate its database, the attacker may be able to copy the contents of the database to his or her own server, drop the website’s original database, and then blackmail the website for the safe return of the copied data. If the vulnerable website is an online store or bank, an attacker may be able to siphon off thousands, or even millions, of customer credit card numbers, addresses and other personal details, and sell these to carders and identity thieves the world over.
One of the better examples of an SQL Injection attack’s capability would be the case of the TJX Hacker, Albert Gonzalez, now serving twenty years in jail for masterminding the theft and subsequent reselling of approximately 170 million credit cards. Gonzalez used SQL Injection vulnerabilities to create malware backdoors into several corporate networks.
Gonzalez was not the first hacker to use an SQL Injection attack to steal credit card numbers, and he certainly won’t be the last. In a world that is dependent on the internet, governments, banks and other corporations need to be constantly working to stop such attacks and bring these hackers to justice.
The Attack Process
When wishing to hack a website the first step that an attacker will take is to locate vulnerability within the site that allows the hacker to manipulate data, take down or deface the site. This can be done by either manually scanning a site or by using a scanning tool such as Acunetix. Such scanning tools have grown in popularity as they require less technical skill than manually scanning a website. In addition, they are normally much faster and more efficient than the majority of hackers would be in manually scanning a site. Scanning tools do not require any administrative logon rights and can be run on any website in the world. The image below illustrates an Acunetix website scan in progress.
Once the attacker has scanned the site, and has found an SQL Injection vulnerability, there are two ways he/she can go about exploiting this vulnerability. The first approach involves manually constructing an SQL string and injecting it into the site. The shortcoming of this approach is that it generally involves a lot of time and patience on the part of the hacker. The second approach involves using an application, such as Havij, that is specifically designed to exploit SQL vulnerabilities.
There are several methods of preventing an SQL Injection attack occurring on your website. The first, and probably the best, method that I have used to prevent SQL Injection attacks is to filter strings being passed to the site by the user. This can be done by simply disallowing characters associated with SQL Injection. For example, if the user attempted to pass a string to the website such as that shown below – a string designed to delete any user accounts with a birth year of 1955 – then a routine designed  to check that the string only contains alphabetic and numeric characters would act to block it.
DELETE FROM Users WHERE BirthYear = ‘1955’;
This would result in the would-be attacker receiving an error message indicating that they had entered several invalid characters, and also being prevented from proceeding any further.
Some more cautious webmasters also mark certain words as invalid in order to give them a higher level of security. Examples of words commonly found on such a list are DELETE, SELECT, EXEC and REPLACE. While this is a great extra step it’s important that any authorised user inadvertently entering one of these invalid words (e.g. DELETE) receives an error message that clearly explains that the word DELETE is not permitted. This will reduce confusion for non-technical users.
The next prevention method is to disable any shell access permissions. This is extremely important as shell access is fundamentally what an attacker requires in order to launch an SQL Injection attack. Without shell access it will be a lot harder for an attacker to manipulate your database in a malicious way through the use of SQL Injection. While you are disabling shell access you should also disable any other functionality your site will not need or use.
A third approach is to ensure users have properly allocated database privileges. This means that users are granted permission to access only the data they need and nothing else. A lot of webmasters forget this and allow their users to access the site’s entire database. Having numerous users with unrestricted access increases the vulnerability of the website, and exacerbates the risk of significant damage should an attack take place. Minimising what a user can access will minimise any damage that may occur.
A final, and potentially more expensive, approach is to actively test your website for vulnerabilities. This can be achieved in several ways. The first is to scan the website yourself by using an application such as Acunetix. These scanner applications will provide you with a full report of the potential vulnerabilities and will point you in the direction of what needs to be changed in order to ensure your website is secure.
Alternatively you can hire a penetration tester to assess your website. The benefits of a penetration tester far outweigh those of a website scanner. Some of these benefits are that a penetration tester is human, is more adaptive to your website’s security, and will provide you with a lot better feedback then a report from a web scanner. The downside to using penetration testers is that they are human, and humans are generally more expensive than applications.
In Conclusion
SQL Injection attacks represent a significant threat to data security. The approaches outlined in this article are, in my opinion, the best ways of reducing, if not eliminating, the risk of such attacks. If you or your website developer is a strong coder and implements the methods outlined in this article it is highly unlikely that you will fall victim to an SQL Injection attack.
Notwithstanding this, it is important to remember that everything can be hacked by a determined and skilled attacker prepared to spend a considerable amount of time trying to attack your site. However by implementing the preventative measures that I have explained in this article, and by ensuring your database server is kept up-to-date, you will definitely be one step ahead of the majority of websites and in a stronger position to defend your website’s database from an attack.

No comments:

Post a Comment