SQL Injection Attacks

Organized cybercriminals are taking advantage of vulnerabilities that exist in the way dynamic Web sites operate by injecting malicious code that sites' database servers process. This, in turn, is infecting the computers of visitors to the affected sites.

These SQL injection attacks are nothing new. But, in the past, each attack was directed at "valuable" targets. Hackers most often selected these targets because their databases contained sensitive information that could be resold or used for identity theft. Today these attacks have become more widespread, and they're acting as vehicles for mass infection of Web sites, which leads to thousands of infected computers.

Cybercriminals target organizations because they store valuable information in their online applications. At the most basic level, improperly validated user input in a Web-based application causes these attacks. This user input is comprised of character "strings" that an attacker carefully crafts and injects into instructions sent to the database by the Web application to take aim at the database layer. Applications should validate all user input passed to the database, but some don't perform this function adequately. Instead they allow malicious code to be passed to the database for processing.

A successful SQL injection will allow the attacker to read sensitive data stored in the database, modify data, or modify the database itself. It can also execute various administration commands on the database server.

ANATOMY OF AN SQL INJECTION ATTACK 

SQL is a database language designed for the retrieval and management of data in a relational database management system. Web-based applications use SQL to interact with the database layer to generate dynamic Web content.

For example, a user logs into his profile on a Web site. He fills in an online form with his username and password and submits it. The application will now perform an SQL query to verify whether the username exists in the database, and it will make sure the password matches the stored one. In this scenario, the user-supplied credentials become parameters for a predefined SQL statement responsible for validating credentials and granting access to the Web application.

To function, a Web-based application requires implicit trust between itself and the database. Because the application is authorized to execute queries, the database doesn't care if the query is valid or the result of malicious code injected into a predefined SQL statement. These SQL statements, developed as part of the Web application, are responsible for information exchange between the application and the database.

An SQL injection attack consists of inserting malicious SQL code into the user-supplied input, which the database layer then executes. This might result in disclosure of sensitive information as the database is tricked into executing a malicious SQL statement that displays the content of all credit card transactions stored in the database server.

A vulnerability can exist when a hacker, for example, inserts a single quote mark into the input passed by the application to the database via the Web form. The database server interprets this as a boundary in an SQL statement. In the SQL injection context, it gets interpreted as a boundary between the data to be included in the predefined SQL statement and malicious code to be run by the SQL server. This leads to the execution of the predefined statement followed by the malicious statement.

EXPLOITING VULNERABLE APPLICATIONS 

A hacker can easily identify a Web site vulnerable to an SQL injection attack with a simple Google search. By searching for a pattern associated with vulnerable applications - for example part of a URL associated with a known vulnerable Web application package - Google will provide results that the hacker can use as a starting point to identify vulnerable sites.

From there, the hacker will "test" the potential victim applications by using simple, effective methods to validate if added SQL commands can be passed as part of the user input. Depending on the results of the statement injected into the legitimate SQL, the hacker can determine if the application will be vulnerable to an SQL injection.

When an application is deemed vulnerable, the hacker can then begin crafting malicious strings of characters that will be passed on by the application to the database and extract sensitive information from the database layer. According to the "2009 Data Breach Investigation Report" published by Verizon, SQL injections ranked second in prevalence of data-breach attacks, and they were responsible for 79 percent of breached records.

AUTOMATED ATTACKS 

SQL injections are now being used for extensive attacks that exploit and infect Web sites with malicious scripts that infect the computers of Web site visitors. An April 2008 automated SQL injection attack might have compromised up to 500,000 Web sites including several high-profile international sites.

The intent behind April 2008 attacks was to inject a malicious script into Web databases. This script was then included in the Web pages that were generated from content stored in the database. When someone visited an infected Web page, this malicious script was executed on the visitor's Web browser and it compromised the visitor's computer. This automated SQL injection attack actually created a method of indirectly infecting computers by infecting the sites they visited.

PREVENTING SQL INJECTION 

As we've seen, hackers attack computers by inserting malicious code into user-supplied input. But malicious code won't reach the application when we filter user input and don't allow user input to be embedded in SQL statements.

The best way to prevent SQL injections is through good development and programming practices. The Open Web Application Security Project provides guidance and best practices on improving security in Web applications for programmers and IT departments.

Jean-François Legault, CISSP, CISA, CISM, GCIH, GCFA, is a senior manager with Deloitte's Forensic & Dispute Services practice in Montreal, Canada. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.