London: 020 0200 8142

Common Vulnerabilities In Web Apps: SQL Injection

Web Application Risks: SQL Injection

Welcome to the second of five posts on the top vulnerabilities found in vendor and bespoke web applications. Here, InfoSec Pro Kai Stimpson focuses on the second most common vulnerability we encounter – SQL Injection.

You can catch the first post on broken authentication here.

What is SQL injection?

SQL (Structured Query Language) injection is a technique used for attacking data-driven apps. Despite having been around for nearly 20 years, it continues to pose a significant risk to many web applications.

SQL injection maintains its presence in OWASP’s (The Open Web Application Security Project’s) top 10 most critical web application security risks, the latest copy of which may be accessed here:

OWASP Top Ten Project

SQL Injection occurs when a SQL query is constructed in an unsafe manner that includes user supplied input that has not been sanitised.

When an application fails to protect against SQL injection, an attacker can exploit this to inject their own malicious query in an attempt to formulate a variety of attacks. Such attacks can include:

  • Retrieving and modifying information stored in the database
  • Executing administration operations on the database
  • Performing remote command execution without proper authorisation

The resources detailed below provide a wealth of information on how SQL injection can be exploited to attack a web application that has either an integrated MySQL Database or Microsoft SQL Database.

How to Mitigate the Risks of SQL Injection

Parameterised Queries

Implement parameterised queries so that the application sufficiently escapes user supplied input.  This will help to ensure that user-supplied data won’t break out of the constructed SQL query that is written into the application.

Whilst parameterised queries are generally the preferred mitigation method, if this is not possible the implementation of stored procedures may be an option.

Stored Procedures

Stored procedures, similar to parameterised queries, can generally be implemented safely via the implementation of strict validation and escaping, as long as they do not include any unsafe dynamic SQL generation.

Sanitising Input / Escaping User Supplied Input

Finally, an inferior technique to parameterised queries is sanitising input alongside escaping user supplied input. This method should be used with care as mistakes can be made that leave certain parameters vulnerable to SQL injection if not implemented appropriately.

This method involves implementing functionality to remove / escape malicious characters and accept only ‘known-good’ user supplied input that is being passed to a particular parameter.

SQL Injection Prevention Resources

OWASP provide an excellent SQL injection prevention cheat sheet that can be found here:

OWASP SQL Injection Prevention Cheat Sheet

If you need help with your organisation’s cyber hygiene and risk management, we’d be glad to assist. Click here to contact us.

We are Perspective Risk

  • Information security is crucial to every aspect of your business – operational efficiency, profitability, business continuity, customer confidence, brand loyalty, protection against fraud and meeting regulatory requirements.

    Our penetration testing, pen testing, pen tests and cyber security testing has proven time and time again to be an effective security assessment of business IT infrastructure.

    Perspective Risk provides in-depth security assessments, risk management and compliance solutions to help you keep your confidential information safe and your critical systems secure. We’re innovative, flexible and supportive, helping you through any information security issues to deliver real business benefits and excellent value.

  • Call Me

    Pop your details in below and we’ll be in touch soon!

    • This field is for validation purposes and should be left unchanged.

    ×
    Get Quote
    • This field is for validation purposes and should be left unchanged.
    ×