The impact of the Drupal fiasco is still being felt across all industry sectors. The world’s third biggest CMS platform was compromised with arguably the oldest hacking technique in existence – the SQL injection (SQLi). While the Drupal 7.32 update has resolved this specific problem, SQL injections won’t really go away until they are treated from the root – the application code.
SQL first emerged in the mid-80s and has now become a globally accepted database language. But the “internet and mobile boom” in recent years has also exposed its weaknesses. SQL injections are constantly starring in the OWASP Top-10.
The SQL injection is used for gaining illegal access to application databases and orchestrate various exploits. Data and identity theft are the most common cybercrimes committed with the help of SQLi. Hacktivists also commonly adopt this methodology to deface and wipe out content from targeted websites.
Why is the SQL injection so common and effective?
Generally speaking, SQLi are unsanitized user input vulnerabilities. The most common exploitation is in log-in fields of unprotected applications that use centralized databases to deliver and render information. In reality, such hacking opportunities exist in the majority of the leading E-commerce, social and financial applications and websites.
These malicious commands are injected into SQL statements via input fields that cannot recognize these manipulations. Once the hackers establish illegal communication with the application’s database, they can perform a wide range of malicious actions depending on the levels of permissions and privileges they have laid their hands upon.
How the SQL injection works. Courtesy: Computerphile
SQL injections: Causing consistent damage to applications and websites.
The Drupal fiasco made the headlines last month and is still refusing to go away.
For example, the Indiana Department of Education (IDOE) website was hacked by the Nigeria Cyber Army recently. Although no personal data was compromised during the cyberattacks, the problems were so severe that the technical officers had to take down the website for a few days till the lingering issues were completely resolved.
There have been thousands of automated attacks in recent weeks. Websites still stuck on the vulnerable Version 7 of the Drupal CMS platform are in direct danger of falling prey to crawlers dispatched by malicious attackers. It’s also important to mention that upgrading to the patched Version 7.32 doesn’t fix already compromised websites.
In the meanwhile, voices are rising to eliminate the SQL injection problem altogether.
The UK Information Commissioner’s Office (ICO) has fined a travel firm following a massive information leak caused by the SQLi security issue. Worldview Ltd failed to address the SQL injection problem on time and the result was the identity theft of over 3000 of its customers. The firm had to pay a £7500 fine for this grave negligence.
“Organizations must act now to avoid one of the oldest hackers’ tricks in the book,” said Simon Rice, ICO technology group manager. “If you don’t have the expertise in-house, then find someone who does, otherwise you may be the next organization on the end of an ICO fine and the reputational damage that results from a serious data breach.”
ICO has also provided a guide on how to be protected against web attacks and cybercrime.
This legal development, minor and insignificant as it may seem, is the first time an organization is taking the heat for neglecting application security. While many well-recognized global security standards exist, the implementation is questionable at best. One such benchmark is the PCI DSS, a detailed protocol in the payment card industry.
5 ways to eliminate SQLi and the role of Source Code Analysis (SCA).
The root of the problem with SQLi is the inability of the applications to validate input. Almost all leading programming and scripting languages today have input sanitation options that should be “religiously” implemented by application developers. But additional care should be taken to validate all input, regardless of the source.
The following steps should be taken by all developers:
But the developers should also know where exactly to apply these precautions. This is where SCA comes into play.
CxSuite is integrated directly into the various stages of the Software Development Life Cycle (SDLC). Comprehensive scanning of the application’s source code is then performed and data flow is mapped from the input all the way to the sink. Sensitive and critical flows without any sanitation method are flagged and the are developers alerted.
The Checkmarx scanner also points at the exact points where the sanitation methods need to be placed. Also known as “best fix location”, this unique Checkmarx feature enables the remediation of multiple flaws with one fix. The final result is a robust and vulnerability-free application that is simply immune to the SQL injection.
For a Free CxSAST Trial – Click Here
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.