Sql Injections

•SQL Injections - Number one security risk in the OWASP(Open Web Application Security Project) Top 10 Application Security Risks – 2017

•It was used in the run-up to the 2016 U.S. presidential election to compromise the personal data of 200,000 Illinois voters

•High-profile attacks against organizations such as Sony Pictures, PBS, Microsoft, Yahoo, Heartland Payment Systems, and even the CIA

What Are SQL Injections?

•A hacking technique that was discovered more than 15 yrs ago and is still proving to be devastatingly effective today, remaining a top database security priority.

•Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Common Reasons For SQL Injection Attacks

•The root cause of the SQL Injection vulnerability is due to the use of dynamic or concatenated SQL queries.

•Databases are attractive targets because they typically contain critical and sensitive application information.

•The approach (i.e., the hack) is not new and is well documented on dozens of forums on Google so these attacks become easy to execute.

Primary Defenses Against SQL Injection

•Prepared Statements (Parameterized Queries) Parameterized queries force developers to define all the SQL code, then pass in each parameter to the query, which allows the database to distinguish between code and data, regardless of what input is supplied.

•Stored Procedures - a stored procedure is defined and stored in the database itself, and then called from the application rather than something that a user is allowed to enter.

•Run an automated SQL injection attack tool and know your risk before they are exploited.

No solution can ever be full proof but the risks/vulnerabilities can be minimized or even eradicated in advance by industry best practices and structured approach.

Thanks for Reading,

Manoj Rana