SQL Injection

By Winston L.

Database is a brilliant invention in this age of technology. From the Database page on Wikiperdia, database has existed for 45 years since when first proposed by Edgar Codd in 1970, however, not until the computer hardware’s capability became strong enough to handle large data processing were the database concept and database management systems (DBMS) widely implemented. After the birth of Internet, the demand for a decent application to manage large database increased even higher, and it is partly because people have found that database can be used to utilize everything, from business to scientific research. Nowadays, there are many major DBMS, such as IBM DB2, MS SQL, MySQL, and Oracle. All of them are based on the standardized SQL language, and that makes them vulnerable to one simple but very dangerous attack on the database, the SQL Injection. In this blog, SQL Injection attack technique, its impact, its victims, and prevention solutions will be discussed.

First, before we dive into SQL Injection, we must understand the basic of SQL Language, which was well explained in the article “Anatomy of a SQL-injection attack” from Network World by Barnett. SQL is the acronym of Structure Query Language. As we already know, computer does not understand English or any other language that we speak. It only recognizes series of 1 and 0. So, just like a programing language, SQL is the medium, which translates English phrases and commands into binary code. Almost the whole database will be structured by the designers. However, some set of commands will be left blank to take input from users. This is an example from the article, “SELECT * FROM users WHERE Email = ‘” + Email +”‘ AND Password ='” + Password +”‘; “The fields Email and Password will be filled out by users to login into the system.

Those blank fields are vulnerable holes in the database. Hackers take advantage of those input fields to inject malicious set of codes into the system. At first, this technique was hard to succeed and unpopular because the major of database management systems back then all used different type of code for each database application. Then, in 2007, due to the rise of SQL standardized coding practice, all databases use the same set of codes. That made it significantly easier to use SQL Injection technique to penetrate the system. Hackers can write an application to run thousands or millions set of codes on those input fields, scanning for the valid commands to gain access into the database. After mapping out the columns and tables, hackers will be able to steal all the critical and confidential information of users, including Social Security Numbers, credit card numbers, or bank accounts. SQL Injection attack seems to be simple and easy to achieve, but many large firms have fallen victim to it, and when the attack has been successfully launched, it can leaves the database devastated.

One example of the SQL Injection attack is the break of security of Sebastian, an internet, phone, and television provider. Reported on SC Magazine by Adam Greenberg, a group of hackers disclosed on Twitter that they was able to penetrate Sebastian’s database by using SQL Injection attack. They stole thousands usernames and passwords or customers. Then, they tried those combinations on many sites like Gmail, Paypal, online shopping sites, even some online bank accounts. At the end, they claimed that they were able to harvest $100,000 from those online accounts because customers used the same combination of username and password.

SQL Injection can also be used in mass attack targeting search engine optimization of thousands websites. Recently, an incident was reported in the article “Attackers use SQL injections to manipulate search engine rankings” from Networks Asia. Just in two weeks during Q3 2015, the Threat Research Division of Akamai Technologies, Inc observed more than 3800 websites being affected by the attack. Hackers used SQL Injection to gain control of the search feature of many search engines. They altered the rankings of the result websites, leading users into malicious links and applications.

In most of the cases, one of the main factor that contributes to the success of SQL Injection attack is the recklessness and overlooked insecurity. SQL Injection (SQLI) can be prevented if handled properly. There are hundreds ways to deal with SQLI, 8 of them were presented in the article named “8 techniques to block SQL attacks.” On Information Week by M. J. Schawrtz. First one is to blacklist the hosts. Many attacks came from just a handful addresses, so, blocking these infamous hosts would be effective. Second one is to leverage the first one by updating and sharing the discovered malicious hosts. Third, we should minimize the access to the database, and do not ever grant admin-level access to a web application. Fourth one, an obvious but easily ignored one, is to encrypt the data. Fifth, database designers should only accepted expected input. Sixth, getting to know the Web applications well is an idea, so we can quickly detect which application is acting out of the norm. Seventh, normalizing inputs to easily check them against the known-bad inputs. Finally, as we know, hackers use application to generate and inject code into system, so we should look for the indication of automation to prevent SQLI.
SQL Injection attack is simple and is not hard to handle. However, it is easy to overlook the technique and leave the system vulnerable to the devastating attack. It is critical to follow those basic prevention guidelines to block out any potential attack.

References
Database. (2016, February 9). In Wikipedia. Retrieved February 10, 2016.
Barnett, R. (2008). Anatomy of a SQL-injection attack. Network World, 25(40), 30.
Greenberg, A. (2013, October 22). Hacker group claims to have looted $100k via SQL injection attack. In SCMagazine.
Attackers use SQL injections to manipulate search engine rankings (2016). . Newton: Questex Media Group LLC.
Schwartz, M. J. (2011). 8 techniques to block SQL attacks. Informationweek.