It’s a shame but not many website owners or for that matter, web developers are familiar with what SQL Injection is and just why it’s something they need to worry about. I’m noticing through various forums, friends, etc an increased number of sites being exploited for Cross Site Scripting through SQL Injection. Most blog readers are going to say “HUH? Cross Eyed Scripting? What Injection?”
Yes this is a bad bad thing.
UPDATE: Moments after posting this blog post I found a blog post about the United Nations Events page being marked as malware through SQL Injection
Learning more about SQL Injection
I’m not going to rehash all the gory details on SQL Injection but instead recommend you read the following references:
A great article on SQL Injection by Paul Litwin (he’s a programming superhero)
ScottGu’s Blog: Tip/Trick: Guard Against SQL Injection Attacks
Michael Sutton’s Blog: How Prevalent are SQL Injection Vulnerabilities?
These articles all have links to other great articles and you’ll learn more than you ever wanted to know about SQL Injection
How do I know if I’m vulnerable to SQL Injection
The problem with SQL Injection is so many people out there are using scripts that they not only don’t know if they’re vulnerable but they don’t know how to fix it. So step #1 is to find out if you’re vulnerable and here’s my recommendations for that:
#1 ScanAlert.com – If you’re hosted at AppliedI.net they’ll provide you a year of quarterly scans for free and then reduced renewal. They also have a service called HackerSafe that does daily scans of your site and I highly recommend you use a service like this as they’ll really dig through your site and alert you that you’re vulnerable before it’s too late.
#2 Secunia.com – They provide a great resource cataloging vulnerable sites and providing frequent updates as new vulnerabilities are discovered. If you’re using any 3rd party applications (freeware, opensource, commercial, anything) I recommend you punch it in and take a look. For a quick reference, here’s a graphic representation of vulnerabilities in OSCommerce
And here’s one for all the Anti-Windows Hosting people.. Here’s all the vulnerabilities found in IIS6 since 2003 to today (there was one released just recently) there’s been 5 and all are either patched or workarounds provided:
Here’s the same graphic for Apache 2.0.X, there’s been 35 and looks like some are still unpatched or only partially fixed:
From the Secunia Site you can get more information on security holes and the impact they have. BTW, I did a quick search on advisories for SQL Injection, there were 2072 returned results. Yes, it’s a problem.
#3 Use another security scanner like Nessus, Acunetix, Elanize’s Web Security Scanner, etc.
How do I protect my site from SQL Injection?
So the big question is how do I protect my site from SQL Injection? The answer: YOU FIX YOUR CODE! The problem is not all website operators are website developers and they don’t know how to fix their site or they don’t have the resources (money, experience, etc) to fix their site. What are they to do? THEY HAVE TO FIX THEIR CODE! If you can’t fix it, I recommend you find a replacement application that’s not susceptible for SQL Injection. If you can’t find a replacement application and can’t fix your code here’s a few tips that might help but this really needs to be address at the application itself:
IIS 6 SQL Injection Sanitation ISAPI Wildcard – It’s an ISAPI filter that intercepts all requests and cleans out the dirty SQL injection code.
Port 80’s Server Defender – It protects against a lot more than just SQL injection and is billed as a Web application firewall.
A little ASP Script for cleaning inputs that you can incorporate into your application.
A little guidance from MSDN.
And numerous other resources out there for your review.
I don’t know why I always have a conclusion but you have to close your article somehow. In conclusion, I hope you spend some time and read a few of the articles linked to in this blog post. You’ll learn more about SQL Injection and hopefully avoid being compromised by it.