CONTACT BLOG

Threats To Data   Compliance   Secure Application Development  

SQL Injection Attack: A Security Threat

As the much-publicised TJX/ TK Maxx data breach of around 4.5 million records highlights, web security is a growing problem. Organizations are realising that their database is an easy target for attacks, with SQL injections increasing at a rate of 250 per cent^[1] a year. An SQL injection gives a hacker the ability to ask any question of the database and therefore control the database and the data within.

An SQL injection attack is executed when a web page allows users to enter text into a textbox that will be used to run a query against the database. It can be relatively simple for an attacker to find out enough information about how a database works, to be able to log in as an admin member of an organization’s website.

Consequences of SQL Injections

With SQL injections, cyber-criminals can take complete remote control of the database, with the consequence that they can become able to manipulate the database to do anything they wish, including:

• Insert a command to get access to all account details in a system, including user names and retrieve VNC passwords from registry
• Shut down a database
• Upload files
• Through reverse lookup, gather IP addresses and attack those computers with an injection attack
• Corrupting, deleting or changing files and interact with the OS, reading and writing files
• Online shoplifting e.g. changing the price of a product or service, so that the cost is negligible or free
• Insert a bogus name and credit card in to a system to scam it at a later date
• Delete the database and all its contents

In order to help protect against SQL injection attacks, organizations must check and filter user input and limit the length limit on input as most attacks depend on query strings. Different types of input have a specific language and syntax associated with them, such as name or email. A crude defence is to restrict some particular keywords, such as DROP, INSERT, SHUTDOWN, NAME. This is very hard to do in practice, as the context in which commands is vitally important. Powerful intelligent approaches exist which take into account the intent of the command and not just the keywords used.

According to a study^[2] 91 per cent of database attacks lead to financial loss, but the financial impact can be dwarfed be the long-term damage to an organizations reputation. In fact, research by Ipsos MORI^[3] revealed that 58 per cent of consumers would stop using an organization’s services following a security breach involving their personal data.

Examples of SQL Injection

Here are some examples of alleged SQL injection attacks:

• 3,000 records were exposed and 20 actually stolen at Commerce Bank, a bank in Central USA – October 2007
• Online corporate gift retailer, Scarborough & Tweed, potentially had 570 customer personal and credit card details compromised
• The United Nations website was defaced by a group of activists with an anti-war protest – August 2007
• In June 2007 Microsoft’s UK events web page was defaced

Many more examples of SQL injections are available from the Web Application Security Consortium (WASC).

1. Source: MITRE

2. The United States Secret Service, CERT and CSO Magazine profile of Internal Attacks in an E-Crime Watch Survey

3. See The_People_Vs_Ecommerce-MORI_poll.pdf

Copyright 2010, Oracle Corporation and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Site by The Stream