Prevent SQL Injection Attacks

Coming in at number one in the OWASP Top Ten Most Critical Web Application Vulnerabilities are injection attacks, and SQL Injection vulnerabilities are the most common and most dangerous in this category. SQL injection is a technique that exploits vulnerable web sites by inserting malicious code into the database that runs it.



FAQs

Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at support@applicure.com.


Featured Blog Posts

Blog Contributors

... read more ...

Vendor Lock In or Ignorant Design?

I often hear people say '”I’m not going to use Microsoft stuff because the don’t ... read more ...

Senior bureaucrats lax on BlackBerry security

Security experts suggest senior federal bureaucrats are playing with fire by sending sensitive government information ... read more ...

What makes the threat of SQL injection attacks so dangerous is the ease in which they can be launched and how many web sites are vulnerable to them.

Attackers often use large botnets to systematically seek out vulnerable web sites to attack with little work being done on their part. Pair this with the fact that the number of sites vulnerable to this type of attack grows each year and it is clear to see why it remains at the top of the most critical vulnerabilities.

Risks Associated with SQL Injection

Even with the ease that an automated SQL injection attack can be carried out, if the attackers stood to gain nothing this threat would soon disappear. Unfortunately, those who successfully compromise vulnerable web sites can find that this vulnerability can be quite profitable as they give the attacker access to the database so information can be sold or data can be deleted. More advanced techniques can also be used to give the attacker unrestricted access to the system through a backdoor. SQL injection can also be used in tandem with other exploits, such as cross-site scripting, to manipulate how data is displayed to a web site’s visitors.

Not preventing SQL Injection attacks leaves your business at great risk of:

Preventing SQL Injection Attacks

With dotDefender web application firewall you can avoid SQL injection attacks because dotDefender inspects your HTTP traffic and determines if your web site suffers from SQL Injection or other attacks stopping identity theft and preventing data leaks from web applications.

Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against SQL Injection attacks, cross-site scripting, website defacement and many other web attack techniques.

The reasons dotDefender offers such a comprehensive solution to your web application security needs are:

How does an attacker compromise your SQL server?

Before a web site can be compromised, an attacker needs to find applications that are vulnerable to SQL injection using queries to learn the SQL application methods and its response mechanisms.

The attacker has two ways to identify SQL injection vulnerabilities:

  1. Error messages: the attacker constructs the correct SQL syntax based on errors messages propagated from the SQL server via the front-end web application. Using the errors received, the hacker learns the internal SQL database structure and how to attack by injecting SQL queries via the Web application parameters.
  2. Blindfolded Injection: this technique is utilized by hackers in situations where no error messages or response content is returned from the database. In these cases, the attacker lacks the ability to learn the backend SQL queries in order to balance the SQL injection query. In the lack of database content output within the Web application, the attacker is also challenged with finding a new way of retrieving the data.

Identifying the database

When the attacker knows how each database is reacting he or she can identify the database type and the server that is running it.

There are several techniques the attacker uses to identify database objects in a SQL statement.

  1. Using a concatenation string:
    select f1+f2
    from t1
  2. Using a semicolon or cash sign ($)

Compromising the SQL server

Once the attacker has all information he can build the exploit code.

Some techniques used to execute SQL Injection attacks are:

For example, the attacker decides to go with a basic attack using:
1 = 1--

What happens when this is entered into an input box is that the server recognizes 1 = 1 as a true statement. Since -- is used for commenting, everything after that is ignored making it possible for the attacker to gain access to the database. You can see precisely how this attack works on our SQL injection example page.

The Need to Avoid SQL Injection Attacks

SQL injection techniques have been around for over 10 years now, but recent years have seen a dramatic increase in both number of attacks and the extent of damage caused by them. In fact, a sweep of attacks in the second quarter of 2008 alone resulted in over 500,000 exploited web pages that were compromised to deliver password-stealing malware to users' computers. In more recent studies, security firms report attempted attacks reaching totals of 450,000 per day.

The tragedy is that these threats can be mitigated, or even prevented, with the proper tools and knowledge.

The attacker identifies vulnerabilities and obtains database access SQL (Structured Query Language) provides an interface to facilitate access to and interaction with a database. A database usually stores data in tables and procedures.

SQL Injection is a security exploit method in which the attacker aims at penetrating a back-end database to manipulate, steal or modify information in the database. The SQL Injection attack method exploits the Web application by injecting malicious queries, causing the manipulation of data. Almost all SQL databases and programming languages are potentially vulnerable and over 60% of websites turn out to be vulnerable to SQL Injection.

The threat posed by SQL injection attacks are not solitary. Combined with other vulnerabilities like cross-site scripting, path traversal, denial of service attacks, and buffer overflows the need for web site owners and administrators to be vigilant is not only important but overwhelming.

Protect Yourself from SQL Injection Attacks

dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.

The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as SQL Injection and Cross Site Scripting. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.

What types of SQL Injection attacks does dotDefender block?

dotDefender blocks against various SQL Injection techniques including, but not limited to:

What sets dotDefender apart is that it offers comprehensive protection against SQL injection and other attacks while being one of the easiest solutions to use.

In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.


Related Articles:

Cloud Security
E-Commerce Security
Web Application Security

Please Wait...