SQL Injection Explained - What just happened....

Blog post contributed by Jesper Jurcenoks – Critical Watch

(Animation of the simplest SQL Injection – feel free to go to Altoro Mutual try to hack their login – it’s safe – you won’t get in trouble, this site was made to demonstrate web vulnerabilities.)

The innocuous credential SQL search

SELECT userid FROM members
WHERE username = ‘admin’ AND password=’DifficultPassword!’

is modified by the attacker by entering admin’– in the unprotected login field above to produce the following SQL code behind the scenes:
SELECT userid FROM members
WHERE username = ‘admin’–‘ AND password=’123’

admin is the user we want to impersonate
‘ is used to terminate the literal string in the SQL statement
— means “comment out the rest of the line” making sure that password validation is not performed.
‘– is the simplest SQL injection, there are many different ways to perform SQL-injection (beginners cheat sheet are available on the internet12) and even more ways to bypass SQL Injection protections (called filter evasion13)
SQL Injection can do more than just bypass login restrictions, SQL Injections can:

launch malicious SQL commands like “DROP Tables”
OS Commands like “Format c:”
Download and execute trojan horses on your server
Execute complex queries returning the credit card data in your database to the attacker

How do I find SQL Injection vulnerabilities in my systems?

A Customer informs you that they found your Data on a Hacker bulleting board – Ouch (in 2013 70% of data breaches was discovered by external parties1)
Code Review – Yuk! mind numbing and takes forever, due to the human element not very reliable for large amounts of code. use this once you have located the vulnerability using other means.14
Free Open source tools – Detailed semi-automatic testing – typically one page or field at a time. Great for testing during development or for understanding the SQL injection that was found by fully automatic tools – No phone or live support.
Commercial Tools for testing SQL injection – Obviously these tools are great at finding SQL injections, don’t forget that there could many other kinds of vulnerabilities hiding in your systems.
Fully automatic Vulnerability Assessment (VA) testing that will test for everything – day out and day in without human intervention. This is the best solution for making sure some change does not (re-)introduce an SQL-injection or other vulnerability in your web-site. Coolest: Easy online solutions not requiring installation or training.

How do I Fix SQL Injection?

Using secure coding practices during development14
Go back and fix old code14
Validate and filter all input, remove SQL control characters15
Update 3rd party web-applications to secure versions
Use a Web Application Firewall (WAF) in front of your vulnerable web servers, to intercept the Attacks before they reach your server. Configuring a WAF to protect against the SQL injections and other Web application vulnerabilities is ridiculously difficult, which is why we wrote the Critical Watch WAF Optimizer™ to automatically configure your WAF based on detected vulnerabilities.

SQL Injection Notes:

While SQL injections relate to SQL Databases, the problems typically needs to be fixed in the application layer not in the database layers. (Updating the database will not fix the problem)
Short fields lengths is a good way to minimize SQL Injection attacks, as there is a limit to how much attack code can be written into a short field, you must enforce the short field length in the back-end application or WAF as HTML restrictions are easily bypassed.
Non-SQL Databases like Mongo does not suffer from SQL Injection – they suffer from Non-SQL Injections2 😉

SQL Injection References