What is an SQL injection vulnerability?
SQL vulnerabilities are security gaps in how an SQL statement is structured, allowing a hacker to change the SQL text in a malicious way. There are many different kinds of vulnerabilities, and hackers will utilize different techniques to exploit them. Here are some of the most common methods hackers use to search for weak points within the SQL database:
- Time-based SQL injection: Hackers will often use a heavy query that generates a time delay on a webpage. Depending on how long it takes a server to respond to a tampered page, the hacker can determine if there are vulnerabilities to exploit.
- Error-based SQL injection: When a website application encounters an error, it will send the user an error message. Attackers can sometimes locate vulnerabilities based on the information provided in these messages.
- Out-of-band SQL injection vulnerability: Sometimes an attacker can retrieve info from a database via an independent channel. Attackers will send data directly from a database server to one of their own machines to create an out-of-band exploit.
- Boolean-based SQL injection: When an SQL fails, sometimes parts of the web page disappear and a page won’t load. This might allow an attacker to determine whether the entry field is vulnerable or not.
How can an SQL injection be prevented?
There are many SQL injection prevention techniques you can implement to keep your customers safe from incoming attacks. Here are the 10 best tips to block SQL injection:
- Penetration testing: To best stop an SQL injection, you must know which applications are vulnerable, and there’s no better way to do that than to launch a controlled attack to identify weaknesses. This can prove a bit trickier than regular penetration testing techniques since SQL is a complex language. To help, it’s advisable to run an automated SQL injection attack tool.
- Patch management: It can be easy for hackers to discover and exploit vulnerabilities in your customers’ applications and databases. Applying patches and updates at regular intervals is a good practice to implement if you want to keep a customer’s security tight and repair any weak points.
- Be cynical: Assume all the data submitted from external users on your customers’ databases and websites are hacks. Then validate and sanitize these communications as much as possible.
- Trim website fat: To prevent a hacker from taking advantage of your customer’s database, get rid of any website or database functionalities that your customer doesn’t really need. Excessive bells and whistles on website applications just offer hackers more inputs to tamper with as they search for vulnerabilities.
- Don't use dynamic SQL: If it can be avoided, it’s best to have your customers use prepared statements, parameterized queries, or stored procedures on their website entry fields instead of dynamic SQL. This can limit vulnerabilities on inputs.
- Web application firewalls (WAF): When a patch hasn’t been developed yet or is taking too long to implement, a WAF will likely be your customer’s best bet. These are firewalls for HTTP applications that apply a set of rules to an HTTP conversation. They can work in either software or applications to filter malicious data. Be sure to set up WAFs for your customers with a comprehensive set of default rules and make it easy to add new ones whenever necessary.
- Isolate admin accounts: If you can, don't have customers link their administrator accounts to their databases unless they absolutely have to. If an attacker compromises a database but doesn’t have access to an admin account, he can only do so much damage.
- Hide Sensitivities: It’s best to assume that your customers’ applications are going to be breached at some point or another. To plan properly, encrypt passwords and other confidential data on the database. This can help isolate important assets when there are breaches.
- Limit Information: Hackers plan their database architecture exploits from the generated webpage error messages. These messages don’t need to be so forthcoming with information. In fact, it’s best that these messages offer the least insight possible.
- Stick to the Basics: Change database passwords regularly. This is an often-cited best practice, but it’s still easy to overlook this simple step.
As common as these attacks are, these tips and best practices can provide excellent defenses against SQL injection attacks. Read more about other types of attacks and how to prevent them on our blog.