SQL injection attacks are becoming a popular vector for stealing confidential information on the Internet. An SQL injection involves an attacker inputting a SQL query in a search field of a Web form. If the query is accepted by the Web application, it's passed to the back-end database where it's executed, if read/write access is granted from the Web application to the database server. This could result in two scenarios; the attacker viewing the contents of the database, or deleting the contents of the database. Neither instance is good.
Contrary to popular belief, SQL injection attacks do not require advanced knowledge. In essence, these attacks can be performed by anybody with a basic understanding of SQL and a list of queries that are available on the Internet.
Blind SQL injection is another method of launching attacks, but with a slightly different approach. When performing a standard SQL injection, an attacker inserts a SQL query into a Web application, hoping it will cause the server to return an error message. These error messages can grant the attacker the necessary knowledge needed to perform a more precise attack. Database administrators have been led to believe that sanitizing error messages would correct the underlying issue that caused SQL injection. What administrators have failed to realize is that although this conceals the error message, the vulnerability still exists. It's a tad tougher for the attacker, but instead of using error messages to gather information, the attacker flies blind and sends crafted SQL queries to the server, hoping to gain access to the database.
Cross-site scripting, otherwise known as XSS or CSS, is a technique used by malicious hackers to compromise vulnerabilities in a Web application that serves dynamic Web pages. Many of today's Web sites are serving up dynamic pages that consist of information from multiple sources built "on-the-fly" for the user. If the webmaster is not careful, malicious content can be injected into the Web page to gather confidential material or simply execute on users' systems.
There are many countermeasures for thwarting Web application server attacks. Awareness is definitely among the most important. Many organizations are focusing on the preventative measures that need to be applied without trying to learn how these attacks are performed. Not understanding how Web application server attacks work makes countermeasures ineffective, and simply tossing firewalls and intrusion prevention systems at the problem won't help. For instance, if your Web application server is not filtering user input, you can easily be subjected to the types of attacks mentioned above.
Another key to staying ahead of attackers is to conduct a thorough audit of your Web applications on a regular basis. Johannes Ullrich wrote a great article on how to audit your Web application over lunch using some simple techniques and Firefox plug-ins.
About the author
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, CISSP, is an information security consultant for Access 2 Networks, a Toronto, Ontario based security consulting firm. He also serves as a technical director for GIAC.
This was first published in June 2007