Feb 112014
 

T-SQL Tuesday #51

T-SQL Tuesday #51 is hosted by Jason Brimhall (b|t). This month's topic is "Place Your Bets".

SQL Injection

Introduction

"SQL Injection – I have heard it all" you might be thinking. What is there to write about this again?

SQL Injection

Well, nothing - you would think. It has been very well understood and documented for years and it is easy to prevent. People are talking about it and most developers know what to do about it.

So, why write yet another post about this topic?

Meet OWASP

OWASP is the Open Web Application Security Project. For many years it has been regularly collecting the top vulnerabilities of applications that are reachable on the internet. The results are published in the Top Ten Project.

Since at least 2003 SQL Injection has been holding one of the top 10 places. Since 2010 it is number one.

Let me repeat that: Since 2010 SQL Injection is the number one vulnerability in web applications.

SQL Injection in the news

SQL Injection was used in the recent Bell Canada hack causing over 40000 records to fall into the wrong hands.

While not officially confirmed, there are strong signs that SQL Injection played a major role in the attack against Target late last year that caused 40000000 credit card numbers to leak into the open.

Betting on SQL Injection

I am not going to reiterate what SQL Injection is. There are many resources out there like the one by Troy Hunt

However, what I am going to repeat here is that it can happen to anyone. The answer I get most often from clients when I suggest to them to address their SQL Injection Vulnerabilities is "Who would want to hack me? There is nothing important in my system."

This is the wrong way to think about the issue. If you have users in your system and they have accounts with user names, email addresses and passwords you have an obligation to protect that data. Also, many attacks are not actually targeted but executed automatically against a large number of potential targets. If there is something important to get, the attacker will decide once access is gained, not before.

So, I cannot urge you enough: Do not ignore SQL Injection. Follow best practices like parameterizing your SQL Statements and sanitizing user supplied values all the time. And with "all the time" I actually mean all the time, not only when you are working on customer facing products but also when you develop in-house solutions. An attack might strike close to home, for example in form of a disgruntled employee, or like in the Target case through phishing.

SQL Injection vulnerabilities are wide spread and easy to exploit. But luckily they are easy to prevent too. It is however up to you to actually prevent them.

Summary

SQL Injection is one of the oldest tricks in the attacker's handbook. But it is still the most common. Don't bet on it not going to happen to you. Spend the little extra effort and prevent it.

Trackbacks

  1. […] Meine (b|t) brought needles to the table.  That is wicked crazy and leaves quite the […]

  2. […] Meine (b|t) brought needles to the table.  That is wicked crazy and leaves quite the […]