SQL injection

SQL injection, also known as insertion, is a malicious technique that exploits vulnerabilities in a target website’s SQL-based application software by injecting malicious SQL statements or by exploiting incorrect input. In 2013, the Open Web Application Security Project [OWASP] listed injection as the most prevalent threat to vulnerable web applications.

SQL injection is one of the most common code injection techniques used by attackers to attack websites. Once a website is exploited, attackers attempt to gain root access to the server, allowing them to gather information as well as access databases and other devices within the network.

In March 2011, SQL injection was used to compromise numerous websites and inject a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.

Difference with Cross-site Scripting

While both vulnerabilities can be caused by malicious code or data sent by website/app users and administrators, they differ in terms of impact. CSS/XSS typically cause disruptions on the client or visitor side and can be used to hijack sessions, deface websites, download malicious content, and redirect URLs. On the other hand, injections severely affect the server side and can lead to data loss and other consequences.

How to Prevent SQL Injection Attacks

Video: Trend Micro Tech-TV: Demonstrate and Prevent SQL Injection Exploits

Related terms : Cross-site scripting (CSS/XSS), website defacement, vulnerability, exploit

For enterprises:

  • Use testing tools to ensure deployed codes are secure. Enterprises and organizations may invest in testing tools such as web application scanners, vulnerability scanners, and static code analyzers. These tools help IT teams test and evaluate codes before, during, and after deployment.
  • Consider using web application firewalls. These provide firewall protection at the web application level.
  • Practice secure coding. Companies with websites must employ and implement secure coding standards. The Open Web Application Security Project (OWASP) is a not-for-profit organization that helps web developers, administrators, and owners practice safe coding via community feedback.
  • Patch systems and networks accordingly. IT administrators should take special care in making sure ALL systems in the network are patched, because one unpatched system may spell disaster. This prevents cybercriminals from exploiting vulnerabilities in unpatched/outdated software.
  • Scan web applications for vulnerabilities: Enterprises need to check their web apps for vulnerabilities as these can lead to SQL injection and cross-site scripting attacks.

Links :

https://www.owasp.org/index.php/Top_10_2013-A1-Injection

http://blog.trendmicro.com/trendlabs-security-intelligence/lizamoon-etc-sql-injection-attack-still-on-going/

Products : Trend Micro™ Deep Security™ and Vulnerability Protection, Trend Micro™ Deep Discovery™