What is a SQL Injection
De’Von Carter of CarTek Consulting is the featured guest in video 2 of a 3 part series that is focused on website security. The focus of this talk is SQL Injections.
What is a SQL Injection
Before I can explain the specifics of a SQL injection attack, It is important that you understand a basic two tier web application architecture. There are two parts working together to make your website a reality. The first tier is the web server. The web server can be considered the “front-end”, or the server that the end users and customers connect to. This is where the pretty pictures and content are hosted and displayed. So, when you go to your favorite website and the page that is presented to you in your web browser (Internet Explorer, Chrome, Firefox, etc…), that is the web server. The second tier is actually holding the really important data on the website. For example, when you go to amazon, the first tier is what you see on the amazon page, but the second tier is holding all of your personally identifiable information (PII), pricing, account information, etc.. and the web server is pulling that information from the second tier so that it is presented to you as you browse for your next purchase and go to checkout once you have made your product selection. That second tier is called a database. There are many different types of databases, but in this instance, we are focusing on the Structured Query Language (SQL) Database.
Now that we have a better understanding of a two-tier web application architecture, let’s talk about the actual SQL injection attack. The way these attacks work is fairly simple, but they can wreak havoc for business and website owners. If an attacker wanted to execute a sql injection attack, he/she would go to a website where there is a webpage that allows for user input. A great example of this is a “contact us” page because there are usually multiple fields that need to be filled out by the end user or in this case the attacker. The attacker would simply type some very specific characters into the fields and those characters would form actual SQL commands that would tell the second tier or database to perform an action. The actions could be to add a user, delete a user, reveal the contents of the database, or even delete the entire database. Any of these actions would be very bad for the business/website owner.
Diagram courtesy of Veracode
Now that you see what could happen. Let’s turn our focus to some preventative actions that you can take to help protect your business from this type of attack.
- Use an Application Protocol Interface (API) that avoids the use of interpreter tools or have a tool that can provide a parameterized input option.
- Definition of Interpreter – this is a tool that will see executable input that the attacker typed into the contact us page fields and it will perform the action stated in that input. This can be bad.
- Your website should be developed in a way where special characters can be ignored or escaped. This will ensure that when an executable command is put into a field by an attacker, the special characters that are required for the commands to execute will be ignored, thus prevent the command from being run on the database.
- Use a “white list” of user inputs. This means that you implement predefined user inputs that could be in the form of a drop-down menu. This will prevent an attacker from having the ability to type in untrusted input.
As you can tell from this list, you will need to work with your website developer to implement these preventative measures. If they are a good web developer, they should be familiar with these techniques. If they are not familiar, then reach out to CarTek Consulting. We are here to help.