SQL injection, an attack vector against Web applications, is well known, and security experts have long warned
about its increased use by hackers. As a method of attack, SQL injection -- a security exploit in which someone maliciously adds Structured Query Language (SQL) code to a Web form input box in an attempt to gain access to resources or make changes to data -- only requires network port 80 to be open, one of the few ports through which even a well-configured firewall will allow traffic. Its recent use to compromise servers at Heartland Payment Systems Inc. has caused network administrators to realize what a serious threat SQL injection is and re-evaluate their defenses against it.
The key defense for preventing SQL injection attacks is the use of parameterized stored procedures. When these procedures are used, requests to the database are made using parameters and user-defined subroutines instead of commands being built using values supplied directly by a user. SQL parameters are not only type safe, but they also greatly reduce the likely success of a SQL injection attack.
Database development is outside the purview of most network administrators, but you should insist best practices are followed for safeguarding data on your network.
SQL injection protection: A guide on how to prevent and stop attacks
In this guide, learn how to detect and fix SQL injection vulnerabilities.
Although using stored procedures is a must, it's not sufficient. To fight off would-be attackers, a defense-in-depth strategy is essential; otherwise developers are being called on to provide front-line security, and traditionally that has been a challenge for many organizations. Database administrators and application developers should certainly follow best practices, but let's look at what you can do as a network administrator to provide additional protection for database resources.
Application and database servers obviously need to be hardened and regularly patched, but SQL injection threats can work even against patched systems as they attack the actual Web application -- ASP, JSP, PHP, etc. -- rather than the Web server and the OS it's running on. Sensitive information needs to be encrypted both at rest and in transit over the network, but the most important contribution will likely be the addition of a Web application firewall (WAF) or some variation of an application-layer firewall as an additional defense.
WAFs can provide protection beyond that of traditional network firewalls and intrusion detection/prevention systems. Many WAFs, like those produced by Imperva Inc. and Barracuda Networks Inc., can help prevent attacks such as SQL injection, cross-site scripting and others that target flaws in application logic or technical vulnerabilities in software. The latest WAFs can recognize evasion techniques exploited by attackers using SQL injection, such as obfuscating the attack by encoding portions of the injected command.
Your chosen application-layer firewall should also allow for the creation of filters to intercept, analyze or modify traffic specific to the network. Unusually large requests need to be analyzed and filters should strip out strings commonly used in SQL injection attacks, such as -- and @@version. All such requests can be logged and the source IP address blocked. Better still is a firewall that has the capability to "learn" what is and isn't normal traffic for your particular network and adapt its behavior accordingly. When irregularities are detected, the WAF can shut down potential attacks while they're happening. Also, as SQL injection often takes place via the URL query string, it is important to regularly review Web server's logs to look for anomalous queries that may be injection attempts.
Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
As the network administrator, it is also important to ensure that any accounts that are used by Web applications are granted the least possible privileges. Restricted access will minimize the damage that a successful attack could cause. Web applications should never connect as users with administrative privilege such as "sysadmin" at the server level or "db_owner" at the database level. Microsoft, for example, recommends that during the installation of SQL Server, the service is given a domain account that has its permissions set to only access the necessary resources. That way, if an attacker breaks through an organization's defenses, that person will be confined by the permission set needed to run SQL Server.
Since SQL injection attacks leverage poorly written code, the only way to completely prevent SQL injection attacks is to resolve vulnerabilities in your application's code. However, you can, as a network administrator, make life harder for a potential attacker by adding additional layers of defense that they will have to overcome.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.