SQL Injections Wreaking HavocBy Ericka Chickowski | Posted 2009-06-12 Email Print
Project managers must implement security best practices into application development to keep attacks at bay.
See also: Six Steps to Stop SQL Injections slideshow.
Look closely at the following string of characters: ' Or 1=1 --.
It may be a passkey into your lockbox of corporate information.
Hackers use alphanumeric strings like these to take advantage of vulnerabilities in Web applications linked to SQL Server databases. These efforts help them gain entry into SQL Server databases tied to web forms, steal valuable customer information and intellectual property, and even redirect users to malicious Web sites for more attacks.
Known commonly as SQL injections, these attacks are as prevalent as they are easy to execute. According to a recent IBM ISS X-Force study, SQL injections shot up by 134 percent last year, making them the most common Web attack technique. X-Force researchers found that on the worst days, hackers executed more than 450,000 attacks in a single 24-hour period.
SQL injection attacks work by inserting commonly used SQL commands into vulnerable Web application input forms. So, instead of a username and password entry, the attacker might enter in a dummy username and the command ‘Or 1=1 -- in order to confuse the database and gain entry into backend systems.
Though there a plenty of documented coding methods to shore up a site from SQL injections, the fact of the matter is that most shops simply don’t use them. In this day and age of agile development, coders are more concerned with speed to market than with security testing.
“The agile development philosophy says to release early and release often, which is counterintuitive to the build-security-upfront kind of philosophy,” says Jeremiah Grossman, CTO and founder of WhiteHat Security.
Injection attacks aren’t new. In fact, for several years now hackers have been using injection attacks such as cross site scripting attacks to trick vulnerable websites into giving the attacker login information for the specific Web site in question. What is new, however, is the evolution of sophisticated SQL injection attacks that take the idea of injecting malformed code a few steps further and allow greater ability to remotely execute code within the attacked site.
“It used to be that most of the vulnerability disclosures around web applications were cross site scripting vulnerabilities. But they're just not as valuable to an attacker as SQL injection vulnerabilities are,” says Tom Cross, security researcher for IBM ISS X-Force. “The bad guys are getting a lot more mileage out of SQL injection. SQL injection is being used to redirect the legitimate users of a website to exploit toolkits that take total control over their computer and so the bad guys have every credential that users have for everything, plus their credit card numbers and other sensitive information.”
Even more troubling is a new technique disclosed recently at Black Hat Europe, whereby hackers can use SQL injections as a stepping stone directly into the OS of the server holding SQL Server databases.
The major difficulty most organizations face when trying to mitigate the risk SQL injection attacks is that there is simply no quick fix to the problem. While patches and web application firewalls can help solve issues with code as they come up, the real root of the problem lies in code development processes. The exploited vulnerabilities are typically borne of inherently risky homegrown code and insecure database configurations.
“There is no phase on the assembly line where somebody bolts the security on,” says Brian Chess, chief scientist for Fortify Security, which makes software code analysis tools. “You need to look at all of the different paths and processes that are involved in making software in order to make it secure.”