SQL Injection Explained

The innocuous credential SQL search SELECT userid FROM members WHERE username = 'admin' AND password='DifficultPassword!' is modified by the attacker by entering admin'-- in the unprotected login field above to produce the following SQL code behind the scenes: SELECT userid FROM members WHERE username = 'admin' AND password='123' admin is the user we want to impersonate ' is used to terminate the literal string in the SQL statement -- means "comment out the rest of the line" making sure that password validation is not performed. '-- is the simplest SQL injection, there are many different ways to perform SQL- injection (beginners cheat sheet are available on the internet12) and even more ways to bypass SQL Injection protections (called filter evasion13). SQL Injection can do more than just bypass login restrictions, SQL Injections can:

1. Launch malicious SQL commands like "DROP Tables"
2. OS Commands like "Format c:"
3. Download and execute Trojan horses on your server
4. Execute complex queries returning the creditcard data in your database to the attacker

1. A Customer informs you that they found your Data on a Hacker bulleting board - Ouch (in 2013 70% of data breaches were discovered by external parties1)
2. Code Review - Yuk! mind numbing and takes forever, due to the human element not very reliable for large amounts of code. Use this once you have located the vulnerability using other means.14
3. Free open source tools - Detailed semi-automatic testing - typically one page or field at a time. Great for testing during development or for understanding the SQL injection that was found by fully automatic tools - no phone or live support.
4. Commercial Tools for testing SQL injection - Obviously these tools are great at finding SQL injections, don't forget that there could many other kinds of vulnerabilities hiding in your systems.
5. Fully automatic Vulnerability Assessment (VA) testing that will test for everything - day out and day in without human intervention. This is the best solution for making sure some change does not (re-)introduce SQL-injection or other vulnerability in your web-site. Coolest: Easy online solutions not requiring installation or training.

1. Using secure coding practices during development14
2. Go back and fix old code14
3. Validate and filter all input, remove SQL control characters 15
4. Update 3rd party web-applications to secure versions
5. Use a Web Application Firewall (WAF) in front of your vulnerable web servers, to intercept the Attacks before they reach your server. Configuring a WAF to protect against the SQL injections and other Web application vulnerabilities is ridiculously difficult, which is why we wrote the Critical Watch WAF OptimizerTM to automatically configure your WAF based on detected vulnerabilities.

SQL Injection Notes:

1. While SQL injections relate to SQL Databases, the problems typically need to be fixed in the application layer not in the database layers. (Updating the database will not fix the problem)
2. Short field length is a good way to minimize SQL Injection attacks, as there is a limit to how much attack code can be written into a short field. You must enforce the short field length in the back-end application or WAF as HTML restrictions are easily bypassed.
3. Non-SQL Databases like Mongo do not suffer from SQL Injection - they suffer from Non-SQL Injections2.
4. Why only do SQL Injections via SELECT Statements - here how to do it via INSERT, UPDATE and DELETE16