The IT security world found out about SQL injection at about the same time as the software world was caught up in Y2K.
Because the Y2K problem got solved so effectively, many folks believe the whole Y2K scare was nonsense to begin with. The truth is that software development shops did step up and perform heroics to rescue legacy systems from death by two-digit dating systems. They located the flaws in old code and either fixed them or found ways to work around the problems.
How then has this same industry of software developers failed to put a solution in place for the SQL Injection vulnerabilities that have led to history's largest data breaches?
Or maybe it is not just the software industry to blame. Many software vulnerabilities have been fixed, patches and updates have been released, and secure configuration settings have been offered.
Are all the webmasters and site and database administrators out there paying attention?
When I think about what is really allowing SQL injection to remain so successful, four factors come to mind.
- It is just so easy. Take a few minutes with Google searching for “guide to SQL injection” or “SQL injection how-to,” and you'll find a massive amount of detailed information on how such attacks work, along with lots and lots of examples. SQL injection becomes no more than a cut-and-paste job.
Change your search string to “SQL injection scanner,” and you'll quickly find your way to a myriad of free tools that you can download, then easily point at any website and pinpoint vulnerabilities. With the number of vulnerabilities that we believe are out there, there is almost no limit to the number of easy targets on the internet today.
- Organizations don't expeditiously apply security patches to their applications or databases. By running old code, organizations expose themselves to attack by leaving known vulnerabilities in their internet-facing applications or the databases that support them. These known vulnerabilities are typically well documented on the internet, complete with exploit code. If an attacker finds a system running unpatched software, it is a trivial exercise to download malware and hack their way in. Misconfigurations can also leave a system exposed to attackers.
By and large, organizations aren't doing a great job locking down their databases, web servers or middleware. For example, the reason April's “Liza Moon” SQL injection attack was so widely successful was because ASP and ASP.NET server administrators had disabled input validation security features in their systems. With security effectively turned off, attacks became easy. Then an access control misconfiguration in the databases hosting these websites allowed the attackers to use the SQL iInjection vulnerability to write redirect scripts into the databases, exposing unknown masses of people to a well-executed rogue anti-virus scam.
- Software developers continue to create vulnerable applications, and IT teams put them into production. Lack of awareness and education around secure coding practices, combined with a perception that building secure software takes longer and costs more was how SQL injection came to be in the first place. This continues today.
Groups such as OWASP have published excellent educational materials on how to code securely and cost justify the investment in secure coding practices. The group has made tremendous headway, but everyone in the software world needs to pay attention for the problem to stop growing.
- Web application firewalls (WAF) have been broadly deployed as a once-and-for-all solution to SQL injection. While a WAF can be an effective component of a layered defense strategy, it is by no means impenetrable. Most WAFs require a tremendous amount of expert configuration and tuning before they provide much effective protection. If a WAF hasn't been configured to know about a specific vulnerability, it is unlikely to be effective preventing an exploit.
On top of the exposures created by poorly configured WAFs are the evasion techniques attackers have developed to bypass WAFs entirely. Dozens of evasion techniques have been documented with more popping up regularly, and it all comes right up when you search the internet for “WAF evasion."
SQL injection can come in many forms, and can take the form of a sophisticated attack, but the vast majority of successful attacks don't need to go beyond the basics. We have the techniques and technologies at our disposal to put a stop to SQL injection. The IT world must get educated on the threat and become disciplined about ensuring that all components of an application stack are locked down and secure before deployment.
With hundreds of millions of records stolen in the last seven years, the time has come for the world to step up to the challenge and truly solve the SQL injection epidemic once and for all.