SQL injection attacks still enable breaches, all these years later

Share this article:

An indictment unsealed in Newark, N.J. last week listed SQL injection as the network infiltration method for 12 of 17 corporations that were fleeced of roughly 160 million credit card numbers in a seven-year-long hacking campaign that ended last year.

The attack method has been on the radar of security pros for more than 15 years, yet organizations still are struggling mightily with shoring up their code defenses. 

But what is SQL injection and why is it still such a powerful attack method for hackers? 

SQL stands for structured query language and is a programming language designed for managing data. SQL injection typically involves an attacker inputting SQL statements into an entry field that will force the system to execute potentially malicious commands, such as, for example, allowing illicit access to a credit card database.

“In a nutshell, it's about breaking out of the data context and entering the query context,” software architect Troy Hunt wrote in a recent post on his website. Hunt has written several reports on injection-based attacks and always emphasizes the severe, potentially reputation-damaging, effects the attacks have on organizations.  

A successful SQL injection exploit can read sensitive data from a database, modify that data, execute administration operations on a database or, in some cases, issue commands to an operating system, according to the Open Web Application Security Project (OWASP).

WhiteHat Security founder Jeremiah Grossman and Bill Curtis, senior vice president and chief scientist with software analysis and measurement firm CAST, both recommended to SCMagazine.com penetration testing as a mandatory quality assurance practice.

Curtis said corporations must not expedite code writing for their go-to services – he said businesses are not saving much time anyway since 40 percent of programming efforts are rework – and added that automated technology has advanced to a point of greatly helping sniff out vulnerabilities.

“There's more than 600 million active websites and we're still cleaning up [poorly written] code from six years ago,” Grossman said, adding this is due, in part, to companies still spending too much security dollars on perimeter-focused technologies, like anti-virus and firewalls.

Curtis additionally expressed concerns over an increasing demand for programmers. He said many inadequately trained programmers are being hired despite having received little education and added that appropriate training should be mandatory for every IT or computer science degree.

The tide eventually will turn, Grossman said.

“SQL injection will never go away entirely, but in a few years it'll be a footnote,” he said, adding hackers will likely turn to attacking mobile devices as defenses improve on the home computing front.

The OWASP website offers up some best defenses against SQL attacks, including use of parameterized queries instead of dynamic queries, to ensure an attacker is unable to change query intent, in addition to the use of stored procedures that require developers to define the SQL code first and pass parameters after.

“Each parameter that comes from a client has to be evaluated and protected so that it cannot potentially inject any SQL,” David Topping, vice president of global marketing with security provider Brainloop, told SCMagazine.com. “Having this as a central method that cannot be circumvented protects the application best and avoids someone having to protect each new function individually.”


Share this article:

Sign up to our newsletters

More in News

Attackers compromise Gizmodo Brazil

Trend Micro is investigating whether a vulnerability was used to compromise Gizmodo Brazil and a logistics firm hosted by the same ISP.

Paddy Power breach impacting 650K customers dates back to 2010

Nearly 650,000 Paddy Power customers who made an account prior to 2010 had data compromised in a breach.

Leahy bill would end bulk data collection, introduce reforms

Leahy bill would end bulk data collection, introduce ...

Sen. Patrick Leahy introduced an NSA reform bill that would update the USA Freedom Act.