Home / The SQL Injection Threat & Recent Retail Breaches
Download: The SQL Injection Threat & Recent Retail Breaches

What is a SQL Injection Attack and How does it Work?

SQL injection is a database attack typically executed through a web application. SQL injection attacks are accomplished by exploiting a vulnerability in the SQL generation process of an application connected to a database. In the SQL injection attack a fragment of SQL code is entered (e.g. injected) into a data field on a web page or directly into the URL. While rare, there are also examples of SQL injection that attacked the cookie values on a web page. If the data field containing the injected SQL is sucessfully processed by a vulnerable application, it can result in a rogue SQL statement being dispatched to a database. Rogue SQL statements may attempt to access, modify, or delete content stored on the database that the attacker is not authorized to access. In extreme cases SQL injection attacks can gain control of the server on which the database resides, creating an even far greater security threat.

SQL injection is possible because the code fragments are dynamically injected into an actual SQL query without the proper sanitization or parameterization. Although SQL injection attacks have been documented since the late 1990’s, this method of attack still accounts for a very large percentage of records breached each year. It's been estimated that over 20% of database connected applications have at least one SQL injection vulnerability.

Highlights from The SQL Injection Threat & Recent Retail Breaches

  • 65% of respondents say continuous monitoring of the database network followed by advanced database activity monitoring are the best approaches to avoiding a mega data breach
  • 50% of respondents believe cyber syndicates are to blame for the large retail data breaches. Only 16 percent believe an individual perpetrated the attack.
  • 53% of respondents believed SQL injection was used to steal sensitive and confidential information from the retailers.
  • 17% responded that victims of a data breach be notified in less than a week and 34% responded less than a month.

SQL Injection Attack Tutorial with Examples

Assume a Web application that displays a simple form with input fields for user name and password. With these credentials the user can access a list of all credit card accounts they hold with a bank. Further assume that the bank’s application is vulnerable to SQL injection attack.

It's relatively common for an application to take the input the user sends and place it directly into an SQL query that's constructed to retrieve that user's credentials. In PHP, for example, the query string would look something like this:

$query = “select accountName, accountNumber from creditCardAccounts where username='“.$_POST[“username“].“' and password='“.$_POST[“password“].“'“

Normally this would work properly when a user enters their credentials, say johnSmith and myPassword, and formed the query:

$query = “select accountName, accountNumber from creditCardAccounts where username='johnSmith' and password='myPassword'

This query would return one or more accounts linked to John Smith.
Now consider an individual with a devious intent. This person decides they want to see if they can access the account information of one or more of the bank's other customers. To accomplish this they enter the following credential into the form:

' or 1=1 -- and anyThingsAtAll

When this SQL fragment is inserted into the SQL query by the application it becomes:

$query = “select accountName, accountNumber from creditCardAccounts where username='' or 1=1 -- and password= anyThingsAtAll

The purpose of the injected SQL fragment, ' or 1=1 --, is two fold. First, it causes the first term in the SQL statement to be true for all rows of the query; second, the -- causes the rest of the statement to be treated as a comment and, therefore, ignored during run time. As a result all the credit cards in the database, up to the limit the Web page will list, are returned and the attacker has stolen the valuable information they were seeking.

The above example is just one of literally an infinite number of variations that could be used to accomplish the same style of SQL injection attack.

SQL Injection Prevention

There is no single mechanism that truly offers strong SQL injection protection. Mounting a viable defense against SQL injection requires a comprehensive defense-in-depth strategy. This includes the following:

  • Deploy Continuous Monitoring
  • Enforce Coding Best Practices
  • Baseline Database Infrastructure
  • Disable Unnecessary Database Capabilities
  • Enforce Least Privileges
  • Apply Patches Regularly
  • Conduct Penetration Testing
  • Deploy Perimeter Security
  • Suppress Error Messages
  • Enforce Password Policies

Parameterized queries, perimeter security devices, and DAMs can collectively reduce your risks. However, protecting your databases against SQL injection attacks requires a defense-in-depth strategy that also includes continuous monitoring.