With all of the numerous modern-day applications that are easily accessed via the web and driven by data, SQL injection vulnerabilities have become increasingly widespread, with criminals capitalising on this and exploiting them.
Just in the first quarter of 2019, almost 30,000 SQL injection attempts were detected by the UKFast Threat Monitoring service on our clients’ servers. This kind of cyber-attack, on a global scale, affects millions of organisations on a daily basis.
Any data-driven applications that use an SQL database are possible targets, so what steps can you take to protect them? In this article, IT infrastructure specialist, Source UPS, will be discussing exactly that.
What are SQL injection attacks?
A malicious SQL statement is crafted by a hacker into the input fields so that the underlying SQL database will execute it. Then that causes the application to perform this action that is written into the malicious code.
This kind of attack is caused by vulnerable web applications with improper coding. The flaws occur due to entry fields being made available unexpectedly for user input allowing SQL statements to get through and directly query the database.
An SQL injection, which is frequently done with the goal of stealing personally identifiable information (PII), can result in several devastating consequences. They include:
-Extraction of PII or sensitive information causes a data breach under GDPR to potentially incur reputational damage and notable fines; -Authentication details like password and logins enumerated to be used for future attacks; -Corrupted or deleted databases which cause your website to be unusable; -Attacks of other systems that are part of your network via a compromised database.
With the stakes so high, what steps can you take to protect your applications and websites against SQL injection attacks that have become so widespread?
1. Parameterised statement
These statements are dynamic, are allowed to be executed faster, and are the best way to prevent an SQL injection attack from occurring.
Use parameterised database queries with typed, bound parameters and carefully use parameterised stored procedures within the database. That keeps statements inputted in your SQL database safe. The parameters and string (QUERY: “strings”?) are passed separately to the database (which allow the database driver to interpret them correctly) so that your code does not become vulnerable to attacks.
2. Use a WAF
There are thousands of rulesets in a WAF covering several common application-layer attacks, which include SQL injections. A WAF provides the first layer of defence, which means that even if there are some weak links contained in your code, you are still providing effective protection to your web apps against SQL injection attempts.
3. Scan for potential vulnerabilities
Hackers constantly search websites and the internet for flaws within their codes. There are tools for automating the identification of SQL injection flaws, and then exploit these, which allows cybercriminals to achieve a faster return on investment and increase their chances of succeeding.
Specialised vulnerability scans that are dedicated to SQL injection can help you to detect any SQL injection flaws as well as other related types of web vulnerabilities that may be present.
4. Object Relational Mapping (ORM) frameworks
The ORM framework may be written in several different programming languages and is designed to wrap virtually around a database like your SQL database.
This type of framework does not provide you with immunity against SQL injections. However, it does allow you to build SQL queries in a familiar language that you are comfortable with. That makes the process easier and reduces the chance that the code will contain errors that can be exploited. It comes with a number of prebuilt features which can help to boost security even further – for example, using parameterised statements as the standard or SQLAlchemy (a python toolkit).
5. Least privilege principle
In case your database does end up getting compromised, using the least privilege basis can help to prevent an attacker from being able to access other parts of your network.
Use the least privilege principle when you provision accounts that are used for connecting to your SQL database.
6. Password hashing
If an SQL injection attack is encountered, password hashing can help to minimise damage since it makes all passwords unreadable.
Having unencrypted passwords stored inside your organisation is a huge security flaw. User passwords should be stored by applications as one-way, strong hashes, preferably salted. That helps to mitigate the risk that malicious users will be able to impersonate other users or steal credentials.