SQL injection security series – SQL injection vulnerability

This time, you will learn about the "holy" SQL Injection security hole, one of the most popular and dangerous security vulnerabilities of all time.

Why is SQL Injection "god"?

The following reasons have created the name of the famous SQL Injection:

• Extremely dangerous – Can cause enormous damage. With SQL Injection, hackers can access all or part of the data in the system.
• Very popular and easy to implement – This vulnerability is very famous, from developers to hackers almost everyone knows. In addition, there are a number of tools that attack SQL Injection for "pagan" people who do not know anything about programming.
• A lot of big guys have been stuck – Sony, Microsoft UK. Any scandals related to "user data disclosure" are more or less involved in SQL Injection.

Easy to attack, popular, causing serious consequences, it is reasoning that Inject (Not only SQL but OS and LDAP) lies in the top position of OWASP's top 10 security holes. Of course, XSS , CSRF, and no data encryption are included in this list.

Consequences of SQL Injection

The biggest consequence of SQL Injection is: Revealing data in the database. Depending on the importance of the data, the consequences fluctuate slightly to extremely serious .

If credit card data is revealed, hackers can use credit cards to "shop for" or steal users' money. Millions of Credit Card Temples exist on the internet, by hackers stealing from sales sites via SQL Injection.

Expose customer data can severely impact the company. The image of the company may be affected, customers switch to using other services, leading to bankruptcy and so on

This hole also greatly affects customers. Because they often use the same password for multiple accounts, just expose an account's password, the other accounts also follow.

This is also the reason I remind you to encrypt the password , if the database is attacked, the user will not lose the password. (This is the reason why vietnamwork has been scolded for not encrypting passwords ).

In many cases, hackers can not only read data but also edit data . Now hackers can log in as admin, take advantage of the system, or delete all data to stop the system.

How to attack SQL Injection?

The mechanism of SQL Injection is extremely simple. We often use SQL statements to access data. Suppose, if you want to find the user login, we usually write the following code:

The above code reads the input from the user and adds the string to the SQL statement.

To carry out attacks, hackers can change the information entered, thereby changing the SQL statement.

Or if hate, hackers can drop the Users table, delete all users in the database. Scary yet?

To the mother, she knows how to use SQL Injection

Hackers can go through SQL Injection to detect data structures (Which tables are included, what columns there are), then start exploiting the data using commands like UNION, SELECT TOP 1 …

As I said SQL Injection is very popular, you can easily google to search for articles related to it. Therefore, I only briefly summarized the attack mechanism.

You can learn more through the examples in this article: http://expressmagazine.net/development/1512/tan-cong-kieu-sql-injection-va-cac-phong-chong-trong-aspnet .

Prevention

Fortunately, although SQL is very dangerous, it is also easy to prevent . Recently, we hardly write pure SQL using the ORM (Object-Relational Mapping) framework. These web frameworks will create SQL statements themselves, so hackers will be harder to attack.

However, many sites still use pure SQL to access data. This is a good bait for hackers. In order to protect yourself against SQL Injection, we can take the following measures.

• Filtering data from users : This way of prevention is similar to XSS . We use filters to filter special characters (; "') or keywords (SELECT, UNION) entered by users. Should use the library / function provided by the framework. Initially rewriting is both time consuming and easy to omit.
• Do not add strings to create SQL: Use parameters instead of adding strings. If the input data is not legal, SQL Engine will automatically report the error, we do not need to use the code to check.
• Do not display exception, error message : Hackers rely on error messages to find out the database structure. When there is an error, we only show an error message but do not show the full information about the error, avoid hackers taking advantage.
• Clear permissions in DB : If you only access data from some tables, create an account in the DB, assign access to that account and not use root or sa accounts . At this point, even if the hacker injects sql, it cannot read data from the main tables, edit or delete data.
• Regular data backup : The tool has the phrase "be careful not to worry". Data must be regularly backed up so that if a hacker deletes it, we can still recover it. If the backup data is also deleted then … congratulations, update the CV and find a way to transfer the company!

Conclude

Data is one of the "most valuable" things in your website. After reading this article, please check whether your site can be attacked SQL Injection, then apply the methods you have instructed to fix.

If you have ever been attacked by SQL Injection, or have any experience of preventing it, please share it in the comment section!

More reference sources

• http://www.w3schools.com/sql/sql_injection.asp
• http://expressmagazine.net/development/1512/tan-cong-kieu-sql-injection-va-cac-phong-chong-trong-aspnet
• http://freetuts.net/ky-thuat-tan-cong-sql-injection-va-cach-phong-chong-trong-php-107.html
• http://kienthucweb.net/sql-injection-la-gi.html

ITZone via toidicodedao