SQL Injection Attacks

Targeted Attacks

Hackers are using increasingly targeted attacks and very sophisticated techniques to gain access to mid-market companies. With financial motivation on the rise, hackers frequently turn to organizations where they expect to find fewer defensive measures allowing them more rapid access to databases of accounts, passwords, email addresses, etc. Many mid-size organizations lack the expertise to take on an experienced hacker in hand-to-hand combat – especially when attacks frequently take less than three hours from start to compromise. SecureWorks monitors your network 24 hours a day searching for suspicious activity and has black-belt security analysts ready to shut down penetration attempts through rapid policy changes, ruleset updates, deployment of new signatures, cloaking techniques and direct counter-attacks.

"Any application that queries a database using user-entered data, including Windows Forms applications is a potential target of an injection attack" – Paul Litwin, MSDN Magazine

Attackers target web applications because, by definition, web applications must be "exposed" to the Internet. And, more and more, web applications invite people to input information into forms that connect to servers sitting behind perimeter defenses such as firewalls and intrusion prevention. Systems that connect to these input fields are then vulnerable to an attack.

There are several types of targeted attacks that are on the rise including SQL injection, cross-site scripting, cookie tampering, directory traversal, and file inclusion. All of these attacks are directed at web-enabled applications. All of these attacks involve a criminal at the other end using a combination of expertise and automated tools to penetrate systems.

Here we will take a more detailed look at SQL Injection.

SQL Injection

SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL - – pronounced "SEQUEL") code to a Web form input box to gain access to resources or make changes to data. Using this technique, hackers can determine the structure and location of primary databases and can download the database or compromise the database server. Keep in mind that the web forms used to attack a company could be something as simple as a store locator requesting an address input field to locate the closest store.

Secure Your Web-based Applications

SQL Injection is successful only when the web application is not sufficiently secured. Web applications should use "input validation" for any form to ensure that only the type of input that is expected is accepted. Unfortunately, the majority of websites and web applications are not secure.

It is important to note that protecting against these attacks requires that you protect not only web applications but also the web server on which the web application is running, the database from which the web application is retrieving information and the operating systems upon which the web servers, applications and database reside.

Protecting yourself against SQL injection can be complicated but here are a few good guidelines:

Principle	Implementation
Never trust user input	Validate all textbox entries using validation controls, regular expressions, code, and so on
Never use dynamic SQL	Use parameterized SQL or stored procedures
Never connect to a database using an admin-level account	Use a limited access account to connect to the database
Don't store secrets in plain text	Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings
Exceptions should divulge minimal information	Don't reveal too much information in error messages; display minimal information in the event of unhandled error; set debug to false

Source: MSDN

Some good sources for learning more about web application and web server protection can be found at:

If you do not have the resources available to review and assess your web applications there are many organizations that perform these services including SecureWorks.

Back to all Blogs