Despite that they've been around since 1998 and are easy to defend against, structured query language (SQL) injection attacks are still a threat to web application security today. As found in the Verizon 2020 DBIR, over 80% of breaches within Hacking involve Brute force or the Use of lost or stolen credentials as well as SQL. According to Akamai's December 2020 State of the Internet report, the financial services industry alone was hit with millions of attacks every day—if not tens of millions.
What is a SQL injection attack?
SQL injection is a way of gaining control of a web application database by manipulating how it communicates with SQL (structured query language), a widely used programming language for database management. When a website or application needs to retrieve data from its database, it uses SQL statements to process and display information to the user.
During SQL injection attacks, an attacker accesses the front end of a website or application by inserting malicious SQL statements into a database query to confuse the database and force it to perform abnormal actions. If the web application executes the unexpected input, attackers can inject SQL code into the database and read, modify, copy or destroy data.
SQL attacks are usually financially motivated, but they can also be deployed for corporate espionage, political gain or bragging rights within the hacker community.
What's at risk?
If you're hit by an SQL injection attack, your data could be lost or destroyed, or even disclosed to unauthorized parties. If an attacker takes control of your database, you might not have any access to it at all.
Many high-profile SQL injection attacks can be traced back to data confidentiality breaches, and they resulted in significant financial damage. Whether its effects are downtime, attack recovery costs, regulatory penalties or negative publicity, a successful compromise can be crippling.
The risk of compromise to a database's integrity cannot be overstated. In many cases, compromised database servers can be used as infiltration points for attacks on other third-party sites.
How do we defend against them?
Fortunately, an SQL injection attack is just as easy to defend against as it is to launch. Fixing your web application to mitigate or prevent such an attack is much less complicated than for most other security threats.
Web application firewalls help detect attacks, but they shouldn't be the only prevention method deployed. Host- and network-based intrusion detection systems can monitor database server connections and alert you to suspicious activity.
The first step toward prevention is to assume that a breach can happen at any time and consider any input to your web application database untrustworthy. Limit account privileges. Make sure that your developers, whether in-house or third-party, use SQL libraries that sanitize inputs (i.e., scrub any user data to remove potentially malicious SQL statements). Web applications should have only the privileges they need to run, no more. If you're running a WordPress site, install a security plug-in, use only trusted plug-ins and themes, and regularly update your site.
The Open Web Application Security Project offers a free scanner that can scan your system for SQL injection vulnerabilities.
SQL injection attacks are easily mitigated with minimal due diligence. There is no reason your web applications should still be vulnerable to them.
Learn how Verizon's Managed Security Services can help you protect what's most important.