Friday, December 4, 2009

SQL Injection Flush

The proliferation of SQL injection attacks should come is as shocking as it is preventable. I find it amazing these attacks continue unabashed despite the fact that they can be greatly reduced by following some basic security practices. By adopting secure coding practices, reducing the possible attack area, maintaining proper patching...the article listed plenty of straightforward guidelines that if followed would go a long way in preventing further attacks. Since SQL injections are often a gateway for larger, more serious attacks they need to be dealt with a greater sense of urgency.

SQL injection attacks take advantage of an application not validating input (like on Twitter), or input into a form, such as a site search. The user's input is then incorrectly executed by the backend database server. One of the more common examples is entering a single quote (') into a search box or login form. The attack basically lets the bad guys bypass authentication into the website, and consequently grants them the capability to manipulate the database to disclose large amounts of data, or access and control the database server.

Without delving into the nitty-gritty programming details here's some simple tips to lower your risk of being subject to SQL injection attacks:

The first step should be to filter SQL statements out of the input so that middleware cannot send them to the database. This alone would help to cut these attacks drastically. Developers should instead be using prepared SQL statements that take the user's input as parameters, thereby preventing an attacker from modifying the functionality of the SQL statement.

Escaping all user input will help to solidify your defence against injection attacks. This approach can be implemented quite easily within existing applications. Above all, have your developers adhere to good secure application coding practices and ensure that the principle of least privilege access is strictly enforced.

I found all of these tips (and more) within the OWASP (Open Web Application Security Project) and look for the "SQL Injection Prevention Cheat Sheet".