SQL Injection

Background

SQL injections are one of the most common code injection techniques used by attackers to attack websites. An attacker finds a vulnerability in the target website SQL-based application software. The attacker exploits the vulnerability by issuing malicious SQL statements or by exploiting incorrect input. Once exploited, the attacker attempts to gain root access to the server. When successful, the attacker is able to gather information such as user names and passwords that are used to access the databases and other devices within the network.


We have seen website compromises that lead to other threats such as the download of other rogue antivirus malware (also known as FAKEAV). In 2008, Trend Micro has seen a  number of website compromises that were done via SQL injection. In 2013, SQL injection is the top infiltration method used by attackers in data breaches.

SQL injections affect organizations and regular consumers. Once a website is successfully compromised via SQL injection, attackers can get data stored in servers and databases. Often, the information stored can be customer data (user names, passwords, email addresses, and the like) or company data (confidential documents, trade secrets, organization structure, etc.). Preventing compromises is foremost in keeping these data secure.

Countermeasures/Best Practices

For enterprises:

  • Use testing tools to ensure deployed codes are secure. Enterprises and organizations may invest in testing tools such as web application scanners, vulnerability scanners, and static code analyzers. These tools help IT teams test and evaluate codes before, during, and after deployment.
  • Consider using web application firewalls. These provide firewall protection at the web application level.
  • Practice secure coding. Companies with websites must employ and implement secure coding standards. The Open Web Application Security Project (OWASP) is a not-for-profit organization that helps web developers, administrators, and owners practice safe coding via community feedback.
  • Patch systems and networks accordingly. IT administrators should take special care in making sure ALL systems in the network are patched, because one unpatched system may spell disaster. This prevents cybercriminals from exploiting vulnerabilities in unpatched/outdated software.
  • Scan web applications for vulnerabilities: Enterprises need to check their web apps for vulnerabilities as these may possibly lead to SQL injection and cross-site scripting attacks.

For consumers:
  • Secure ALL your devices. Laptops, mobile devices, desktops – ensure that they are protected by security software and always updated.
  • Secure your accounts. Use different email addresses and passwords for each account you have. Use a password manager to automate the process.
  • Do not open email from unfamiliar senders. If in doubt, delete without opening it. Verify first before opening any attachments.