Posted by 0 Comments Others

Database injection attacks are a form of hacking that is becoming increasingly common, and is being conducted on an extremely large scale. Tens of thousands of sites, including those operated by governments and universities are currently exploited in this way.

What is SQL/database injection?
Many sites now use databases to store content, since this provides huge benefits: from easier management to the ability to interact with users, for instance in a shopping cart process. To understand SQL injection, you need to have a basic idea of how database-driven sites work.

A simple shopping cart has a database of products, images, descriptions and so on. Each product has its own row within the database, and a product is identified by a numeric identifier (an ID). A basic URL to retrieve product number 1 would be: www.example.com/view_product.asp?id=1. This URL says ‘get the product with an ID of 1, and then display all the information like the product name and image’.

Database injection attacks work by modifying the code used to query the database, so instead of just ‘get the product with an ID of 1′ it will also alter the product details, to install viruses or make other modifications to a site’s database – including deleting all of the contents.

These attacks are currently automated, and scan hundreds of thousands of sites daily to check for vulnerability, and attack sites that have not taken appropriate security measures.

What problems can result from being vulnerable?
Once an attacker has control of a site’s database, the repercussions are extremely serious, and common problems include:

  • A whole website can be unusable, and/or infecting all visitors with viruses
  • Loss all of the data from the site
  • Dropping out of all search engine listings
  • Listings on various hacker sites and the associated problems

How do I check if my site is vulnerable?
The ideal method is to consult with your web development provider, and ensure that they are aware of the severity of this issue, and have taken appropriate steps to prevent it from happening. However, there is a simple test you can conduct yourself which in most cases will reveal if a site is likely to be vulnerable to database injection:

Find a page containing a database (preferably ‘ID’) parameter, e.g. www.example.com/view_product.asp?id=123)
Append an apostrophe to the end of the parameter and view the URL (e.g. www.example.com/view_product.asp?id=123′)
The apostrophe prematurely ends the database query. If you receive an SQL error of any kind, your site may be vulnerable. If this is the case with your site, you should contact your developer as soon as possible to ensure your site is secured against attack.

How do I fix SQL injection vulnerabilities?
The golden rule of secure website programming is don’t trust user input. Any data that is originates from a user (including parameters in URLs) must be considered insecure and appropriately sanitised before being used for functions like database queries. Sanitising ID variables is extremely easy, since they normally only contain numbers. Any data supplied for an ID parameter that does not contain numbers should return an error to the user. The same principle applies to all parameters contain user-supplied data: they should only be accepted if they match the expected syntax for that parameter.

Unfortunately, because this type of hacking has historically been uncommon and not widespread, some developers have neglected the basic requirements of web application security. Due to the current scale of SQL injection attacks, it’s literally only a matter of time before vulnerable websites are compromised.

Andy Langton
Chief Technical Officer
Receptional Ltd