iStock_000017130427Small

SQL Injection Tutorial: Tackling SQLi with Source Code Analysis

Nov 20, 2014 By Sharon Solomon

The impact of the Drupal fiasco is still being felt across all industry sectors. The world’s third biggest CMS platform was compromised with arguably the oldest hacking technique in existence – the SQL injection (SQLi). While the Drupal 7.32 update has resolved this specific problem, SQL injections won’t really go away until they are treated from the root – the application code.  

 

SQL first emerged in the mid-80s and has now become a globally accepted database language. But the “internet and mobile boom” in recent years has also exposed its weaknesses. SQL injections are constantly starring in the OWASP Top-10.

 

The SQL injection is used for gaining illegal access to application databases and orchestrate various exploits. Data and identity theft are the most common cybercrimes committed with the help of SQLi. Hacktivists also commonly adopt this methodology to deface and wipe out content from targeted websites.

 

Why is the SQL injection so common and effective?

 

Generally speaking, SQLi are unsanitized user input vulnerabilities. The most common exploitation is in log-in fields of unprotected applications that use centralized databases to deliver and render information. In reality, such hacking opportunities exist in the majority of the leading E-commerce, social and financial applications and websites.

 

These malicious commands are injected into SQL statements via input fields that cannot recognize these manipulations. Once the hackers establish illegal communication with the application’s database, they can perform a wide range of malicious actions depending on the levels of permissions and privileges they have laid their hands upon.

 


How the SQL injection works. Courtesy: Computerphile

 

SQL injections: Causing consistent damage to applications and websites.

 

The Drupal fiasco made the headlines last month and is still refusing to go away.

 

For example, the Indiana Department of Education (IDOE) website was hacked by the Nigeria Cyber Army recently. Although no personal data was compromised during the cyberattacks, the problems were so severe that the technical officers had to take down the website for a few days till the lingering issues were completely resolved.

 

There have been thousands of automated attacks in recent weeks. Websites still stuck on the vulnerable Version 7 of the Drupal CMS platform are in direct danger of falling prey to crawlers dispatched by malicious attackers. It’s also important to mention that upgrading to the patched Version 7.32 doesn’t fix already compromised websites.

 

In the meanwhile, voices are rising to eliminate the SQL injection problem altogether.

 

The UK Information Commissioner’s Office (ICO) has fined a travel firm following a massive information leak caused by the SQLi security issue. Worldview Ltd failed to address the SQL injection problem on time and the result was the identity theft of over 3000 of its customers. The firm had to pay a £7500 fine for this grave negligence.

 

“Organizations must act now to avoid one of the oldest hackers’ tricks in the book,” said Simon Rice, ICO technology group manager. “If you don’t have the expertise in-house, then find someone who does, otherwise you may be the next organization on the end of an ICO fine and the reputational damage that results from a serious data breach.”

 

ICO has also provided a guide on how to be protected against web attacks and cybercrime.

 

Related: 7 Lessons We Should Take Away From the Drupal SQLi Flaw

 

This legal development, minor and insignificant as it may seem, is the first time an organization is taking the heat for neglecting application security. While many well-recognized global security standards exist, the implementation is questionable at best. One such benchmark is the PCI DSS, a detailed protocol in the payment card industry.

 

5 ways to eliminate SQLi and the role of Source Code Analysis (SCA).

The root of the problem with SQLi is the inability of the applications to validate input. Almost all leading programming and scripting languages today have input sanitation options that should be “religiously” implemented by application developers. But additional care should be taken to validate all input, regardless of the source.

The following steps should be taken by all developers:

  1. Whitelisting – This is basically the accepting of only specifically pre-defined legal structures. This whitelist should typically include data type, size, range, format and also expected values.
  2. Blacklisting as a supplementary tactic– SQL engines that only reject suspicious patterns and specific commands are not nearly as effective. Relying on this methodology alone can prove to be risky.
  3. Disguising error messages – For example, if the error message says “Password cannot contain symbols“, the cybercriminal can alter his hacking strategy accordingly. Error messages should not disclose sensitive information.
  4. Implementing security tools – Since the malicious attackers make multiple access attempts during their raids, SQLi attacks increase the volume of access traffic. Even a basic tool that warning of such activity can be helpful.
  5. Timely installation of updates – As seen shortly after the Drupal news went viral, malicious attackers are always ready to pounce on vulnerabilities. Installing security patches on time has become extremely crucial.

 

But the developers should also know where exactly to apply these precautions. This is where SCA comes into play.

 

CxSuite is integrated directly into the various stages of the Software Development Life Cycle (SDLC).  Comprehensive scanning of the application’s source code is then performed and data flow is mapped from the input all the way to the sink. Sensitive and critical flows without any sanitation method are flagged and the are developers alerted.

The Checkmarx scanner also points at the exact points where the sanitation methods need to be placed. Also known as “best fix location”, this unique Checkmarx feature enables the remediation of multiple flaws with one fix. The final result is a robust and vulnerability-free application that is simply immune to the SQL injection.

For a Free CxSAST Trial – Click Here

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.