DeMISTIfying Infosec: SQL Injection

August 1, 2016

“SLQ” is an acronym for “Structured Query Language,” a special purpose programming language for management of data in a relational database. If this language is tampered with by an unauthorized user or malicious actor, the results might include:

  • Embedded malicious code
  • Privilege bypass and/or escalation
  • Data leaks
  • Unauthorized access and/or administrative rights/root privilege

SQL injection is considered a major risk to organizations based on the frequency of and general ease with which these attacks are executed. Readily available automated web crawling tools allow attackers to find input vulnerabilities without any manual intervention. Executing the input of malicious code can be automated as well. OWASP includes SLQ injection among its Top Ten List of Web Application Attacks published each year.

Because software code is prone to human error, some prevention methods which security teams may implement include:

  • Requirement for strong input validation
  • Web application firewall
  • Web application scanners
  • Patch systems and networks in a timely manner
  • Apply least privilege to administrative accounts
  • Create specific user accounts for each application on the database
  • Penetration test web apps

Below is an exmple taken from https://www.owasp.org/index.php/SQL_Injection:

 

Source: OWSAP

Get the DeMISTIfying InfoSec newsletter every Tuesday!

 

prestitial ad