“SQL injection” – the phrase seems forbidding, and the reality it signifies is quite sinister.
In fact this concept was mostly unknown just a few months ago, but now Web site developers around the world are not only well aware of the phrase – they dread it.
Sophos consultant Graham Cluley discusses SQL injection.
BusinessWeek became the latest big name Web site to fall victim to the attack method that is growing in popularity. A widely-known magazine and one of the 1,000 busiest sites on the Web was suddenly posing a risk to its readers.
MBA students seeking out possible jobs were exposed to malware when the attack hit last month.
“BusinessWeek started distributing malware from a Russian Web site,” says Mark Fallon, software development director with Oracle Corp. in Redwood Shores, Calif. “It was the result of an SQL statement that showed up on almost every one of its Web [pages].”
BusinessWeek is hardly alone. SQL injection attacks have also claimed high-profile victims such as Sony Playstation 3’s Web site and several news organizations covering the Beijing Olympics.
According to security vendor Sophos plc, 16,000 new Web sites are hit by the attacks every single day.
It is now hacker’s second-favourite Web site vulnerability to exploit, just behind cross-site scripting, according to Oracle. The San Francisco-based enterprise software company sought to arm its users with a defence against the attacks at its OpenWorld 2008 conference last month.
“SQL injections attacks are increasing,” said Eric Maurice, director of Oracle software security assurance. “But we have more ways to prevent against the attacks.”
Attacks generally take advantage of sloppy coding by Web developers. When a Web site seeks information from a user (a name, for example) but doesn’t properly set up the statement as user input, it is open to be interpreted as code. That means hackers can inject their own strings of code into the database through the form.
Once that occurs, a hacker could potentially steal information from the server or change information. Even worse, there is potential some control could be gained over the server or entire network.
Attackers probe Web sites with automated tools that seek out forms and enter special characters that might trigger a parsing error. When that happens, the hacker knows there’s a potential glitch that’s worth investigating further. This method of probing for vulnerabilities is dubbed “Black Box Testing.”
“It’s a mining expedition,” Fallon says. “Once they find that error, they know it’s something they want to beat up on.”
Another, more dangerous, method of probing called “Grey Box Testing” occurs when a hacker has some knowledge of the coding system used in an application.
When hackers have an opportunity to test a Web application against their own server, they can see where the input entered is being used. They then try to design attacks based on that information.
The grey box method can be launched at open source code and private code sets, Fallon says. “Most managed code sets can be decompiled, so the fact it is not open source does not offer any real protection.”
Oracle’s software security assurance division has been finding ways to guard its business software against these sort of injection attacks for many months, Maurice says. Now the company wants to offer some of that expertise to its customers – or anyone else.
A free online tutorial walks developers through a few steps that promises to stop SQL injection attacks. View the pages over the Web or download it to keep.
“This training was initially done for Oracle application engineers,” Maurice says. “But we’ve now externalized it for customers to help stop the malicious attackers who exploit weaknesses in your environment by injecting statements.”
Avoid Dynamic SQL
It’s the dynamic type of SQL code that hackers are exploiting, so try to avoid it altogether if possible. You should be able to code with static SQL in situations where you know the variables in advance such as the objects you will reference, the number of columns and data-types.
“To use static SQL, accept the user input and then concatenate the necessary string to a local variable,” Fallon explains. “Then pass the variable to the static SQL statement, so there is no concatenation involved.”
Not only will this help prevent attacks, but static SQL is actually faster.
Use bind arguments
In situations where you need to code in dynamic SQL, do so by using bind statements. This allows the server to reuse sections of SQL code, reduces the required parsing and cracks down on injection attempts.
“Most security fixes involve adding a lot of extra checks,” Fallon says. “But SQL injection is the only one I know where speeding up your code is the solution.”
Be aware that bind arguments can’t be used with dynamic SQL when you need to execute DDL statements or reference Oracle identifiers.
Filter and sanitize input
If you’re dealing with code that makes use of Oracle identifiers, you can use the company’s “DBMS_ASSERT” package to scan through your code and fix up potential vulnerabilities for you.
All Web developers can make use of the free tools that Microsoft and HP released to help safeguard against SQL attacks as well.
When it comes down to it, consider the source of data you’re dealing with in your code, Fallon advises. If it is coming from the outside world, it should be treated as risky.