Feeds:
Posts
Comments

Posts Tagged ‘SQL Injection’

What is SQL Injection?

sqlinjection

The most common type of hack attack seen these days, however, involves SQL injection. Attackers including hacktivists favor SQL injection attacks because they allow attackers to “inject” their own commands into databases.

When databases aren’t configured to properly screen inputs for signs of attack, attackers have an easy-to-use, remote technique for obtaining any information stored by the database. The specially crafted user data tricks the application into executing unintended commands or changing data.

SQL Injection allows an attacker to create, read, update, alter, or delete data stored in the back-end database. In its most common form, a SQL Injection attack gives access to sensitive information such as social security numbers, credit card number or other financial data.

What is a SQL Injection Attack?

A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

There are four main categories of SQL Injection attacks against databases

  1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results.
  2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported.
  3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database.
  4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched

How to prevent SQL injection attacks?

An attacker uses SQL injection to manipulate a site’s Web-based interfaces and force the database to execute undesirable SQL code, enabling data manipulation and spreading malware. Organizations must not only build defenses and practice secure coding best practices, but also develop an in-depth understanding of how SQL injection attacks work and how the threat has evolved — the earlier SQL injection attacks didn’t have the vulnerability detection capabilities of contemporary attacks — as well as learn how to find, isolate and address webpages infected with malware on a website.

Defending Against SQL Injection Attacks

The good news is that there actually is a lot that web site owners can do to defend against SQL injection attacks. Although there is no such thing as a 100 percent guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts.

1. Comprehensive data sanitation.

Web sites must filter all user input. Ideally, user data should be filtered for context. For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on.

2. Use a web application firewall.

A popular example is the free, open source module ModSecurity which is available for Apache, Microsoft IIS, and nginx web servers. ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests. Its SQL injection defenses can catch most attempts to sneak SQL through web channels.

3. Limit database privileges by context.

Create multiple database user accounts with the minimum levels of privilege for their usage environment. For example, the code behind a login page should query the database using an account limited only to the relevant  credentials table. This way, a breach through this channel cannot be leveraged to compromise the entire database.

4. Avoid constructing SQL queries with user input. 

Even data sanitation routines can be flawed. Ideally, using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.

Any one of these defenses significantly reduces the chances of a successful SQL injection attack. Implementing all four is a best practice that will provide an extremely high degree of protection. Despite its widespread use, your web site does not have to be SQL injection’s next victim.

Advertisements

Read Full Post »

In today’s technology world, security for database has grown extremely. Data security has become an essential for every individual who connect and uses the internet daily to transfer their data. It is necessary to have a requirement which each aspect of the operation performed through internet.

Database Security

Database security is the system that controls the access to database at certain level. The privacy of data is at risk from unauthorized users, which is external sources on the network and internal users within the companies itself.

The above is the security risks that IT professionals should aware of to protect their databases:

i) Privilege Abuse:

When database users take the opportunity for excessive privileges that exceed the        requirements of their job, then these privileges can be deliberately or accidentally being abused.

ii) Legitimate Privilege Abuse:

Through this attack, the hacker with the legitimate privilege that access to the database may misuse the information which stored in the database for their purposes.

iii) Operating System vulnerabilities:

In operating system vulnerabilities, the hacker accomplishes the vulnerabilities in the operating system to let unauthorized access to the database for mischievous reasons.

iv) SQL Injection

It shows that SQL queries are capable to prevent from access controls, by passing through standard authentication, authorization checks and also do grant access to host operating system level commands.

v) Lack of Audit Trails

When proof is weak, hackers can easily get access to database by expecting the identity of the users with strategies which is social engineering and brute force.

To find out an approach to clarify the security threats, that can help your organization to meet your database security, compliance and reporting needs, explore the information given below:

Application Security, Inc. (AppSecInc) was founded in year 2001, AppSecInc was recognized as market leading database security, risk, and compliance solutions for the enterprise. AppSecInc empowers the organizations to protect their most critical database assets.

AppDetectivePro as the leading provider of cross platform solutions for the enterprise for auditors and IT advisors, and DbProtect for the enterprise – deliver the industry’s most comprehensive database security solution.

For more information about AppSecInc – AppDetective Pro and how E-SPIN may consult and assist you on the database security requirement, please contact E-SPIN or

please go to http://e-spincorp.com/espinv3/index.php/application-security

Read Full Post »