Home / The SQL Injection Threat & Recent Retail Breaches
Download: The SQL Injection Threat & Recent Retail Breaches

What is a SQL Injection Attack and How does it Work?

SQL injection is a type of database attack perpetrated by a cybercriminal generally through a web application. SQL injection attacks are accomplished by exploiting a vulnerability in the SQL generation process of a database-connected application. In the SQL injection attack a SQL code fragment is entered (e.g. injected) into a field on a web page form, URI stem, or cookie value. Once processed by the vulnerable application the result is a rogue SQL statement being dispatched to the database. The rogue SQL statement typically attempts to access, modify, or delete content stored on the database that it's not authorized to access. In extreme cases a SQL injection attack can even gain control of the server on which the database resides, creating an even far greater cybersecurity risk.

SQL injection is possible because the code fragments are dynamically injected into an actual SQL query without the proper sanitization or parameterization. Although SQL injection attacks have been documented since the late 1990’s, this method of attack still accounts for a very large percentage of records breached each year. It's been estimated that over 20% of database connected applications have at least one SQL injection vulnerability.

Highlights from The SQL Injection Threat & Recent Retail Breaches

  • 65% of respondents say continuous monitoring of the database network followed by advanced database activity monitoring are the best approaches to avoiding a mega data breach
  • 50% of respondents believe cyber syndicates are to blame for the large retail data breaches. Only 16 percent believe an individual perpetrated the attack.
  • 53% of respondents believed SQL injection was used to steal sensitive and confidential information from the retailers.
  • 17% responded that victims of a data breach be notified in less than a week and 34% responded less than a month.

SQL Injection Attack Tutorial with Examples

Assume a Web application that displays a simple form with input fields for user name and password. With these credentials the user can access a list of all credit card accounts they hold with a bank. Further assume that the bank’s application is vulnerable to SQL injection attack.

It's relatively common for an application to take the input the user sends and place it directly into an SQL query that's constructed to retrieve that user's credentials. In PHP, for example, the query string would look something like this:

$query = “select accountName, accountNumber from creditCardAccounts where username='“.$_POST[“username“].“' and password='“.$_POST[“password“].“'“

Normally this would work properly when a user enters their credentials, say johnSmith and myPassword, and formed the query:

$query = “select accountName, accountNumber from creditCardAccounts where username='johnSmith' and password='myPassword'

This query would return one or more accounts linked to John Smith.
Now consider an individual with a devious intent. This person decides they want to see if they can access the account information of one or more of the bank's other customers. To accomplish this they enter the following credential into the form:

' or 1=1 -- and anyThingsAtAll

When this SQL fragment is inserted into the SQL query by the application it becomes:

$query = “select accountName, accountNumber from creditCardAccounts where username='' or 1=1 -- and password= anyThingsAtAll

The purpose of the injected SQL fragment, ' or 1=1 --, is two fold. First, it causes the first term in the SQL statement to be true for all rows of the query; second, the -- causes the rest of the statement to be treated as a comment and, therefore, ignored during run time. As a result all the credit cards in the database, up to the limit the Web page will list, are returned and the attacker has stolen the valuable information they were seeking.

The above example is just one of literally an infinite number of variations that could be used to accomplish the same style of SQL injection attack.

SQL Injection Prevention

There is no single mechanism that truly offers strong SQL injection protection. Mounting a viable defense against SQL injection requires a comprehensive defense-in-depth strategy. This includes the following:

  • Deploy Continuous Monitoring
  • Enforce Coding Best Practices
  • Baseline Database Infrastructure
  • Disable Unnecessary Database Capabilities
  • Enforce Least Privileges
  • Apply Patches Regularly
  • Conduct Penetration Testing
  • Deploy Perimeter Security
  • Suppress Error Messages
  • Enforce Password Policies

Parameterized queries, perimeter security devices, and DAMs can collectively reduce your risks. However, protecting your databases against SQL injection attacks requires a defense-in-depth strategy that also includes continuous monitoring.