ADVISORY ON SQL INJECTION VULNERABILITY AND OTHER BASIC NETWORK SECURITY MEASURES

Risk:
high
Damage:
high
Platform(s):
Web Servers Systems Networks
Advisory ID:
ngCERT-2020-0018
Version:
N/A
CVE:
N/A
Published:
October 16, 2020

Summary


An SQL injection is a technique that attackers apply to insert SQL query into input fields to then be processed by the underlying SQL database. These weaknesses are then able to be abused when entry forms allow user-generated SQL statements to query the database directly. The attack results in the unauthorized viewing of user lists, the deletion of database entries and stealing of data.

Description & Consequence


On 15th October, 2020, the database of a government agency was leaked online via Twitter and Pastebin by a hacker group called “Anonymous”. On accessing some of the database files, it was observed that, the attacker exploited an SQL Injection vulnerability by dumping the database records into a file.

This vulnerability targeted the database using specifically crafted SQL statements to con or mislead the systems into carrying out unexpected and unwarranted actions, which helps the attacker to gain access to privileged information.

Solution


Some of the following security precautions could be adopted.

a.  Ensure strong database encryption.

b. Ensure Security driven programming practices that defend against SQL Injection attacks. This can be achieved by ensuring developers are aware of the risks, tools, and the techniques that can be used to mitigate against SQL vulnerabilities.

c. Treat all user-submitted data as unauthorised by validating and sanitizingall user inputs.

d.  Dynamic SQL statements should not be used if avoidable. Always use prepared statements, parameterized queries or stored procedures whenever possible.

e. Update and patch vulnerabilities in applications and databases.

f. A Web Application Firewall (WAF) should be deployed to monitor web traffic. This essentially, acts as a barrier between the web application and the Internet.

g.  Reduce attack surface by getting rid of any database functionality that are not needed.

h.  Use appropriate privileges to connect to databases. Avoid using accounts with admin-level privileges unless necessary.

i. Encrypt or hash database passwords and other confidential data including connection strings.

j.  Avoid leaving debug functionality on production systems. Use custom Errors to display minimal information about the database.

k.  Parameterized queries are a means of pre-compiling SQL statement so that, they can then be supplied as parameters so that the statement can be executed. This method makes it possible for the database to recognize the code and distinguish it from input data.

Reference


  1. https://www.acunetix.com/websitesecurity/sql-injection/
  2. https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
  3. https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection-attacks/
  4. https://owasp.org/www-project-top-ten/2017/

Revision


Related Articles