Posts

employee using laptop and coding injection

Web Vulnerabilities 101: What’s SQL Injection?

If you’re familiar with the digital or cyber world at all, you have probably seen the terms “SQL” or “SQL injection” thrown around. SQL is a simply put, a database language. In fact, SQL stands for Structured Query Language, and it was designed to operate database systems like the aptly named MySQL, Microsoft SQL Server, SQLite, or Oracle. SQL injection is an attack where SQL statements that were not meant to be there are inputted. This changes the code from what it was originally meant to do.

My name is Hold Please and I make a phone call to my credit card company to complain about my bill this month. When asked by an automated customer service system about what my name is, I say “Hold Please.”

The customer service rep holds…

This is SQL Injection, in a nutshell.

sql injection comic strip by xkcd

The injection could affect any website or web application that uses an SQL-based database (like MySQL or Oracle). Thus, the vulnerability is one of the most prevalent types of web application vulnerabilities. In fact, in 2013, SQL injections were ranked the #1 threat of the year by OWASP (Open Web Application Security Project).

SQL Injection consequences?

The above examples could be humorous. So perhaps your response is, “Well, it’s not really hurting anyone.” But let’s add on more to the story.

Instead of answering “Hold Please,” when the customer service representative asks for my name I say, “Hold Please, and throw away any record of my credit card bills.” If the customer service rep did exactly what I asked, they just lost out on my payment.

  • SQL could be used to delete important information. It could affect how a web application could function
  • Data could be altered, and could cause repudiation issues. It could even alter a balance on an account. This could compromise your company’s integrity.
  • SQL Injection can be used to get past authentication or even impersonate users and administrators

To take it one step further, let’s say I have a huge grudge against this company. So when asked my name I say, “Hold Please, and throw away any record of my credit card bills. Also, go ahead and throw out the rest of the company’s customer accounts.

  • Hence, worst case scenario: SQL Injection could be used to wipe out entire databases

As you can see, while you might say that SQL injection is a rather simple concept, it can bring with it an unending variety of dangerous consequences. Important information could be lost, data could be released, website defacement could occur, and your whole system could slow down or even cease to exist because of this injection.

Prevention of SQLi

Then how do you prevent it? SQL Injection is a common vulnerability and very widespread. But that does come with a silver lining: there are various ways to prevent the vulnerability and ensuing attacks. Here are just a few to get you started.

  • Update regularly: vulnerabilities are being found each and every day. It’s essential to have updates regularly patched.
  • Use parameterized queries: This means that your variables aren’t query strings that would accept arbitrary SQL inputs. Set parameters of given types are necessary. Parameterized queries require the developer to define all the code. It distinguishes between code and data. For example, let’s say that I would need to input a username into a field. Without parameterized queries, I could input any kind of SQL code into the field, and perhaps have the database erased, but if the parameters were set to ‘@username’ then I would only be able to put in a username without any kind of code.

Instead of saying “Hold Please” int0 the automated system, the system now requires that I input my 16-digit credit card number and then press #. This means the parameters are set to a certain number of digits and then the pound key only.

  • Web Application Firewall: This is by far one of the best things you can do in order to protect your applications. Coming in many forms (appliance, software, cloud-based), a WAF can help to filter and find malicious data. The one thing you should concentrate on, however, is what kind of method the WAF uses to detect the vulnerabilities. For example, while many companies use a pattern-based WAF that can have many false positives, Penta Security’s WAF, WAPPLES, uses a logic based engine rather than looking for a pattern. This logic-analysis engine will use 26 different search parameters to accurately analyze traffic, resulting in very low false positives.

Conclusion?

SQL injections are common, but that doesn’t mean that you shouldn’t take any precautions against it. Overall, it’s a simple concept but with an unending variety of dangerous consequences. Important information could be lost, data could be released, website defacement could occur, and your whole system could slow down because of this injection. If you run a business on a website or hold a valuable amount of data, SQL injection could spell disaster.

Make sure to protect yourself from potential loss by investing your time in these solutions to further the benefits in your future!

profile

Blocking Web Application Attacks: New Technology Patented

Penta Security Systems has been granted a patent in Japan for its unique algorithm-based analytical engine for detecting and blocking web application attacks. This technology enables Penta Security’s web application firewall to provide a high level of defense against complex web application attacks.

Penta Security Systems Inc. is a leading provider of Application Security Solutions in Japan and South Korea. It was announced today that the Japan Patent Office  granted Penta Security a patent for its unique method on December 28th, 2011. The method detects attacks that target web applications.

WAPPLES, the web application firewall product of Penta Security, utilizes this method to analyze and determine whether or not Internet traffic constitutes a threat to the web applications under its protection. It will defend against such threats intelligently and accurately. Currently, WAPPLES is the only product in Japan to hold a patent pertaining to methods of detecting web attacks.

“This one-of-a-kind patented technology utilizes analytical algorithms, rather than the old, maintenance-intensive system of pattern matching that typically generates many false positive attack alerts. With this new technology, WAPPLES has been able to achieve a near-zero false positive rate while lowering system maintenance costs. Administrators no longer need to add patterns manually on a daily basis. Web attack detection and response through the logic analysis of this patented technology have made WAPPLES the new paradigm of web application security,” said John Kirch, Vice President of Penta Security.

WAPPLES can detect complex web attacks like SQL injection, which caused several serious incidents of personal information leakage last year. The patented technology can also help save bandwidth (up to 50 percent), by eliminating malicious web traffic.

“WAPPLES is a commercially proven and tested solution with more than 1,100 customers, including government, SMBs and Large Enterprises; our success is based on our patented technology and our relentless commitment to satisfying our clients’ needs,” said John Kirch. He continued, “Recent cyber attacks in Japan have clearly demonstrated the importance and value-add that WAF can contribute in detecting and protecting organizations from application-layer cyber attacks. Enabling Japanese organizations and their clients worldwide to safely sell and buy Japanese products/services could make a tremendous contribution to enhancing Japan’s economic status.”

For more information about WAPPLES, please visit: https://www.pentasecurity.com