Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Protection advice against SQL Injection threats

Network Box : 23 July, 2009  (Technical Article)
Network Box provides advice to companies on bolstering protection levels against potential SQL Injection Attacks
A steady increase in the number of SQL Injection attacks (where a hacker 'injects' malicious code into an application, exploiting a vulnerability in that application) means that companies should review their applications for vulnerabilities, and ensure vulnerabilities are patched. Managed security company, Network Box, has issued advice to customers on protecting against SQL Injection attacks to customers who operate public web servers to exercise caution, particularly those accessible over the Internet.

The company says that SQL Injection attacks are extremely hard to stop at the gateway, as the attacks come from within a genuine application that has been exploited. While security firms such as Network Box operate sophisticated Intrusion Detection and Prevention systems that can block many exploits (for example on public web applications), these types of systems can only offer limited protection in the case of private, internal applications. It is for this reason that the company is advising customers to review application scripts and ensure they are up to date with the most recent patches, on a regular basis.

The advisory gives the following example of an SQL Injection attack:

A web server runs a news search application (called, for example, news.cgi), that uses a single parameter 'id' to retrieve a news story from a data source. The application is genuine, and the data source is used to receiving instruction from it.

Usually, the application queries the data source using SQL code that means 'find articles where news id is XX'. (This might look like: [website URL]/news.cgi?id=XX.)

A hacker exploiting a vulnerability in the application is able to change the 'id' value, to instruct the application to do something different. So, for example, if a hacker was to insert 'id=XX;truncate%20table%news' into the parameter field, an application that does not validate or protect itself will compare the id with 'XX' and then execute the command 'truncate table news' which could delete news from the data source.

Network Box's advice to companies, in addition to checking up-to-date patches for applications, is to deploy three main methods to prevent such attacks:

* Use 'parameterised' SQL statements - put clear parameters into SQL instruction.
* Validate each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
* Use 'escape' parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command. So instead of comparing the id with 'XX' and then executing 'truncate table news', the id is compared with 'XX; truncate table news' which is not a legitimate id and is rejected.

Simon Heron, Internet Security Analyst at Network Box, says: "Our intrusion detection system can identify known SQL injection exploits, with application-specific and worm-specific protection modules. But many companies use private or closed applications that can't be protected in this way, and they need to ensure that they are secure."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo