Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SQL Injection Attacks: The Menacing Maven of Internet Security is on the Rise

While SQL Injection Attacks are Growing in Frequency, Savvy Application Developers Can Find Enough Available Tools to Combat Them

While SQL Injection Attacks are Growing in Frequency, Savvy Application Developers Can Find Enough Available Tools to Combat Them

SQL injection attacks are a very well known threat to Internet security, but the nitty-gritty behind the process is often a bit hazy to everyone except the most proficient Web connoisseurs. The recently successful Yahoo Voices and LinkedIn hacks have served to put SQL injection attacks squarely back on the map of public notoriety and rightfully so. While this form of security compromise has been lurking on the scene for years, it’s striking to see that it’s actually growing in prevalence. The ease of spawning these attacks, paired with the surplus of vulnerable websites and applications available to go after, make this type of data breach a prime choice for hackers. Here’s a look at some common mistakes to watch out for and simple saves that can help protect your important data from this type of attack.

SQL Injection AttacksComplacency equals vulnerability

‘It’s simply not okay to be stagnant. Organizations need to constantly audit and test their applications for vulnerabilities. As of May of this year, SQL injection attacks constituted a full 31 percent of attacks reported – the majority of chosen techniques for the month. These attacks are a favorite of serial data thieves and are often automated, which only augments the extent to which they can be deployed. The staler your rules get, the greater the chances of someone inserting malicious commands into text fields or URLS. If protected by many layers, a website can be sheltered against these potentially catastrophic security breaches, and even then, new protocols needs to be written frequently.

Web app firewalls need to start flexing their muscles

Some SQL injection attacks can get past Web application firewalls (WAFs), unfortunately. Implementing WAFs absolutely has merit and can be a solid protective layer, but recent instances have shown that many WAFs are severely lacking. The key for hackers in getting past WAFs is persistence and time. Data thieves who are resilient in their attempts on site databases will almost surely prevail if the information is not securely safeguarded. It takes a relatively knowledgeable attacker to pull off WAF evasion, but with the proliferation of automated tools, it is becoming increasingly easy. If the goal is to protect data thoroughly – which it should be – the careful monitoring and detection of attacks can be handled via WAF technology, alerting the SOC to actionable correlated events. Remember to demand full disclosure of the quality of a WAF provider and do your own inspection before integrating one into your site’s security plan.

Test constantly

Knowing these types of threats are on the rise, it’s a great idea to test applications for potential threats on a regular basis, and stay on top of free, collaborative tools and news to stay current. One great resource is sqlmap, an open source resource that is Python-based and automates the process of exposing SQL injections. After tests and analysis of your own applications, if SQL injection vulnerabilities are indeed found, the best way to correct the problems is by escalating them through service channels and thoroughly documenting any findings you’ve uncovered, which can help a developer fix the problem. If you don’t take the time to do the testing, you are accepting a potentially serious risk – a mistake you don’t want to make.

Even though SQL injection attacks are growing in frequency, savvy application developers can find enough available tools to combat them. Avoid becoming complacent with your security measures, don’t trust commonly touted layers of protection without digging for more substantiation, and test your applications as much as possible to ascertain the truth of what is going on under the surface. Attentiveness is your ammo in the fight against data compromise.

Advertisement. Scroll to continue reading.

Related Reading: The Most Prevalent Attack Techniques Used By Today’s Hackers

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.