SQL Injections a Threat to Websites
A database is a very essential element of any website, as data of various types needs to be stored for future retrieval. One of the most common databases in use today by websites is Sequential Query Language (SQL), due to its simplicity in implementation yet its ability to securely handle both small and large data.
When a user leaves a comment or a contact message on a given website, the information has to be stored somewhere. When a user posts a comment, it’s first of all sent to the database upon submission, before it’s available for viewing by other users. And so does a message, it has to be stored in the database for the admin. A database attack that has become quite common is SQL injection (SQLi), and you need to keep your website protected.
SQL Injection (SQLi)
Probably due to its widespread use by modern day dynamic websites, SQL database provides motivation for hackers********** to launch a DB based attack. SQLi attack basically utilizes an injection technique, in order to manipulate stored data through insertion/deletion; by passing queries and subsequent commands to your websites database. The vulnerability is exploited via data capturing forms – used by your site for capturing user data (eg. Personal info, comments, messages).
A sample SQL query for fetching some information from the DB would be;
SELECT name FROM comments WHERE name LIKE ‘%$name%’;
This command is meant to fetch data from the database. In some extreme cases, these commands can be utilized to update already stored data, or even to execute shell commands – gain exclusive control of your website database – and dump stored passwords.
SQLi Growing Attacks
The past month have seen an alarming increase at the number of sites we monitor experiencing SQL injection attacks. Needless to say, most of website attacks are geared towards felling Content Management Systems (CMS), the likes of Joomla, vBulletin and of the very popular suite; WordPress.
A precautionary measure one can take is to check signs of this type of attack via tools provided by Open Web Application Security Project (OWASP). They have a page for which you can check signs of such an attack; OWASP –Testing for SQL Injection.
Types of SQLi Attacks
The data we’ve gathered has allowed us to classify the attacks into numerous categories;
Code Injection; the old trick always comes into play in matters hacking, and the SQL DB attack is no exception. IIS websites are especially vulnerable as this attack seeks to exploit its weaknesses, but our firewall is effectively capable of blocking the attacks.
Exfiltration of data; this account for the highest number of attacks and poses massive data breaches of enormous proportions. An attacker exploits a vulnerability that grants him access to the DB tables and subsequently dumps user accounts and passwords.