SQL Injection attacks and what you can do

It’s a shame but not many website owners or for that matter, web developers are familiar with what SQL Injection is and just why it’s something they need to worry about.  I’m noticing through various forums, friends, etc an increased number of sites being exploited for Cross Site Scripting through SQL Injection.  Most blog readers are going to say “HUH? Cross Eyed Scripting? What Injection?”

Here’s what I’m talking about, a hacker will come to your website and use SQL injection to gain access to your database so he can then run SQL queries against your database directly. He not only will have full read access to your database contents (if it’s an e-commerce site you are encrypting your customer information, right?) but he’ll be able to modify your database and place his own code in there.  What you might find is some iframe HTML code that’s calling some JavaScript file (www.domain.com/hackerscript.js) trying to make that load in your site instead of your actual content. Then some website visitor comes to your site and their browser attempts to run this JavaScript which downloads and installs a Trojan on their computer. Now not only is your site hacked but you’re spreading malware all over the Internet and if you don’t do something about it soon, you’re going to get flagged by Google and the other search engines.

Yes this is a bad bad thing.

UPDATE: Moments after posting this blog post I found a blog post about the United Nations Events page being marked as malware through SQL Injection

Learning more about SQL Injection

I’m not going to rehash all the gory details on SQL Injection but instead recommend you read the following references:

A great article on SQL Injection by Paul Litwin (he’s a programming superhero)

Neil Carpenter’s Blog articles on:  Anatomy of a SQL Injection Incident Part 1, and Part 2,  and SQL Injection a Comment.

ScottGu’s Blog: Tip/Trick: Guard Against SQL Injection Attacks

Michael Sutton’s Blog: How Prevalent are SQL Injection Vulnerabilities?

These articles all have links to other great articles and you’ll learn more than you ever wanted to know about SQL Injection

How do I know if I’m vulnerable to SQL Injection

The problem with SQL Injection is so many people out there are using scripts that they not only don’t know if they’re vulnerable but they don’t know how to fix it. So step #1 is to find out if you’re vulnerable and here’s my recommendations for that:

#1 ScanAlert.com – If you’re hosted at AppliedI.net they’ll provide you a year of quarterly scans for free and then reduced renewal. They also have a service called HackerSafe that does daily scans of your site and I highly recommend you use a service like this as they’ll really dig through your site and alert you that you’re vulnerable before it’s too late.

#2 Secunia.com – They provide a great resource cataloging vulnerable sites and providing frequent updates as new vulnerabilities are discovered. If you’re using any 3rd party applications (freeware, opensource, commercial, anything) I recommend you punch it in and take a look. For a quick reference, here’s a graphic representation of vulnerabilities in OSCommerce

And here’s one for all the Anti-Windows Hosting people.. Here’s all the vulnerabilities found in IIS6 since 2003 to today (there was one released just recently) there’s been 5 and all are either patched or workarounds provided:

Here’s the same graphic for Apache 2.0.X, there’s been 35 and looks like some are still unpatched or only partially fixed:

  From the Secunia Site you can get more information on security holes and the impact they have.  BTW, I did a quick search on advisories for SQL Injection, there were 2072 returned results. Yes, it’s a problem.

#3 Use another security scanner like Nessus, Acunetix, Elanize’s Web Security Scanner, etc.

How do I protect my site from SQL Injection?

So the big question is how do I protect my site from SQL Injection? The answer: YOU FIX YOUR CODE! The problem is not all website operators are website developers and they don’t know how to fix their site or they don’t have the resources (money, experience, etc) to fix their site. What are they to do? THEY HAVE TO FIX THEIR CODE! If you can’t fix it, I recommend you find a replacement application that’s not susceptible for SQL Injection. If you can’t find a replacement application and can’t fix your code here’s a few tips that might help but this really needs to be address at the application itself:

IIS 6 SQL Injection Sanitation ISAPI Wildcard – It’s an ISAPI filter that intercepts all requests and cleans out the dirty SQL injection code.

Port 80’s Server Defender – It protects against a lot more than just SQL injection and is billed as a Web application firewall.

A little ASP Script for cleaning inputs that you can incorporate into your application.

A little guidance from MSDN.

And numerous other resources out there for your review.

Conclusion

I don’t know why I always have a conclusion but you have to close your article somehow. In conclusion, I hope you spend some time and read a few of the articles linked to in this blog post. You’ll learn more about SQL Injection and hopefully avoid being compromised by it.

Leave a Reply