Preventing blind SQL injection attacks

There's more than one way to receive Threat Monitor Download "Preventing blind SQL injection attacks" to your PC or favorite mobile device. Sign up to receive Threat Monitor via RSS.

Plain SQL injection attacks
Web applications commonly use SQL queries with client-supplied input in the WHERE clause to retrieve data from a database. When a Web application generates such queries without checking or preprocessing the user-supplied data to ensure it's valid, a SQL injection attack can occur. By sending unanticipated input, an attacker can create and submit SQL queries to pass commands directly to a database. Hackers typically test for SQL injection vulnerabilities by sending the application inappropriate input to try to generate an invalid SQL query. If the server returns an error message, the attacker can use information from the error message to try to gain illegal access to the database. This is a SQL injection attack.

Blind SQL injection attacks

More information on SQL injection attacks Learn about SQL injection attacks and other Web application attacks in our Learning Guide. Find out how to prevent SQL injections.

Many system administrators respond to SQL injection attacks by suppressing the display of database server error messages. However, that doesn't tackle the core problem, which is poor coding. Hiding error messages is really just "security by obscurity," though it does challenge the attacker who now has to build an understanding of the application, the database and the structure of the tables, etc., through the injection process itself. This is called a blind SQL injection attack, because the attacker cannot take advantage of detailed error messages from the server or other sources of information about the application. Getting the SQL syntax right is usually the trickiest part of the blind SQL injection process and may require a lot of trial and error. But, by adding more conditions to the SQL statement and evaluating the Web application's output, an attacker will eventually determine whether the application is vulnerable to SQL injection.

Preventative measures
As you can see, even if your Web application does not return error messages, it may still be susceptible to blind SQL injection attacks. However, you can protect your organization's applications against both attacks with the following best practices:

1. Create a policy that enforces secure coding practices to ensure vulnerability detection and assessments are performed during any application development or deployment.

2. Have your developers identify where data enters or exits the application and ensure that validation occurs for every part of the HTTP request before letting it anywhere near scripts, data access routines and SQL queries. This will prevent user-supplied data from being able to modify the syntax of SQL statements.

3. Completely isolate your Web applications from SQL using stored procedures, which the application should execute using a safe interface, such as JDBC's CallableStatement or ADO's Command Object. If SQL statements must be generated on the fly, use PreparedStatements, as both PreparedStatements and stored procedures compile the SQL statement before the user input is added, making it impossible for user input to modify the actual SQL statement.

4. Consider using a vulnerability assessment tool to automate the discovery of SQL injection and other security vulnerabilities.

5. Develop an incident response plan. Having a detailed and well-rehearsed plan will help you handle any attack that occurs in an orderly and effective manner, and minimize the impact to your organization.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Windows registry forensics: Investigating system-wide settings Weaponizing Kaminsky's DNS discovery Debian: A niche OS with a not-so-niche security flaw Web advertising exploits: Protecting Web browsers and servers Ransomware: How to deal with advanced encryption algorithms Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Application Attacks (Buffer Overflows, Cross-Site Scripting) IronPort feature detects exploited websites SaaS startups enter Web security gateway market How can an enterprise-wide network remain resilient against denial-of-service (DoS) attacks? Microsoft warns of attacks against Microsoft Access zero-day flaw Tips for SQL injection protection Microsoft addresses XSS in Internet Explorer Internet Explorer open to spoofing, scripting attacks Software still plagued with security holes, researcher says Microsoft tools won't be quick fix for SQL injection attacks Microsoft identifies tools to address SQL injection attacks Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application Security (Also see Web Access Control) Billy Hoffman on AJAX security and browser attacks Data risks take shine off Google Chrome Verizon breach study identifies industry specific threats IronPort feature detects exploited websites PCI DSS 1.2 clarifies wireless, antivirus use MySpace, Facebook ignoring basic principles of security Positive changes coming to ModSecurity Kaminsky: DNS flaw capable of attacks on many fronts Can IBM's SMash technology secure Web applications? Microsoft tools won't be quick fix for SQL injection attacks RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) script kiddy  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.