In the recent Ant Man movie, I want to focus on one thing – Luis, Scott’s extremely chatty friend. In their quest to stop Darren Cross from his evil plans, Luis disguised as a security guard to help Scott with their plan to infiltrate the Pym Technologies building where Cross’ powerful Yellowjacket resides. Now of course I do not want to spoil any further for those who have not watched the movie yet (although it has already been awhile), and so I will get to the point. For us viewers, we can think that Luis is just some ordinary guy in the story; but with further contemplation and seeing it in a security perspective, we know that Luis’ role had a huge contribution in the success of their plan (oops!).
So how do we relate this to SQL injection you might ask? In the same way that Luis can easily disguise himself as a legitimate security guard, attackers can easily disguise and later on infiltrate your web application’s vulnerability through SQL Injection. By inputting SQL statements as input data to your web application, without the proper protection, your application might think that these statements are legitimate and authorized when in fact they are not!
The famous SQL injection has evolved throughout the years and we know that variations of it can still harm a web application if not protected. So what is SQL injection? SQL injection is a kind of code injection attack that inserts an SQL query through an input data. If successful, this can lead to data in your database being read, modified and deleted. When this happens, many things can be done that would lead to a company’s loss of confidentiality, integrity, availability and accountability.
You must know that to secure a website, the defense mechanism should be proactive –preventive, detective and corrective. In terms of identifying a SQL injection attack, what are the three things that security analysts need to see?
Sometimes, WHAT YOU SEE IS WHAT YOU GET.
Some SQL injection attacks are really as visible as water. So if you see your logs consisting the terms “select”, “update”, “delete” and other common SQL statements, go ahead and block that IP or perform the necessary security measures according to your response plan.
YOU CAN KEEP AS QUIET AS YOU LIKE, BUT ONE OF THESE DAYS SOMEBODY IS GOING TO FIND YOU. – Haruki Murakami
Some SQL injections hide in the form of base 64 encoding so to be sure, if you see any gibberish when you look through your logs, try decoding them in base 64 and you’ll see. You’ll know it when you’ve found it. Below is a sample payload that shows a parameter that seem gibberish. When decoded in base 64, the long line of gibberish actually consists of lines of SQL statements which is shown in the photo below. This SQL injection attack was the famous Magento shoplift bug exploit that made news last year.
KNOW THE DIFFERENCE
It would be best if you know the different types of SQL Injection to better understand what the attacker is attempting to do. To make it easier, we can reduce them to two types, namely the simple and the blind SQL Injection. The Simple SQL injection refers to the use of SQL query through string concatenation with the user input. Some examples of this are the use of the union query and tautology. The Blind SQL Injection refers to the use of “yes” or “no” type of queries and determines the answer through the response of the application. This is typically used for web applications which are vulnerable to SQL Injection but does not show the results of the injection. Below is a sample tautology query which can be used for a simple SQL Injection.
Without the proper defense mechanisms, you will definitely reap what you sow. There are frightening consequences to a web application that’s vulnerable to SQL injections which includes unauthorized access to sensitive data, escalation of privileges, defacing of websites and much more. In the real world, a vulnerable website can also lead to greater harm to others, hence be sure to secure your websites.
I remember a professor back in college shared to us that no single security approach applies to everyone. It is up to you which of the three pillars of security (confidentiality, integrity, availability) you are going to give a greater priority amongst others in managing your web application. But as recommended, make sure that your websites are secured from the OWASP Top 10 common vulnerabilities as you are developing. Most application frameworks nowadays have functions that help secure your websites in terms of design or development. At the end of the day, it is up to you to gauge which is the right one to use for your website.
If you are interested to learn more about how to develop your websites securely, a good start would be to take the lessons from WebGoat as it provides sample cases. Don’t worry, it’s all free!
Lastly, to ensure that you detect existing and future web attacks such as SQL injections towards your website, get WebRanger installed on your website. It is the detective, preventive, and corrective web application security control that keeps your websites protected 24/7. It’s for free! Visit WebRanger’s website to learn how it actively protects your website.