Topics In Demand
Notification
New

No notification found.

268

0

Web based attack - SQL Injection (SQLi)

SQL Injection (SQLi) is a type of injection attack that allows malicious SQL commands to be executed. These commands are used to control a database server that is connected to a web application. SQL Injection flaws can be used by attackers to get around application security protections. They can bypass a web page or application authentication and authorization to retrieve the complete SQL database's content. SQL Injection can also be used to create, alter, and delete records in the database. In-band SQLi (using database errors or UNION commands), blind SQLi, and out-of-band SQLi are the major types of SQL Injection attacks.

Consequences of an SQL injection attack

  • SQL Injections can be used by attackers to discover the credentials of other users in the database. They can then exploit these users' identities to impersonate them. It's possible that the impersonated user is a database administrator with full database access.
  • You can use SQL injection to select and output data from a database. An SQL Injection vulnerability might provide an attacker complete access to a database server's data.
  • Successful SQL injection also allows you to change and add data to a database. An attacker may, for example, employ SQL Injection in a banking application to change balances, invalidate transactions, or move money to their account.
  • SQL can be used to drop tables and delete records from a database. Even if the administrator backs up the database, data destruction may cause application downtime until the database is recovered. Furthermore, backups could not include the most recent data.
  • You can use the database server to access the operating system on some database servers. This could be deliberate or unintentional. In this situation, an attacker could start with a SQL Injection and then go on to the internal network behind a firewall.

SQL Injection attack surface

  • The Philips Tasy EMR, a medical record solution and healthcare management system used by hundreds of institutions, is vulnerable to two serious SQL injection issues. The flaws are identified as CVE-2021-39375 and CVE-2021-39376, and both have a CVSS v3 severity score of 8.8.
  • Two severe security weaknesses have been discovered and exploited in a prominent satellite communications (SATCOM) system designed by Stratos Global used on ships all over the world: a hidden backdoor account with full system rights and a SQL injection in the login form.
  • Severe SQL Injection Flaw Discovered in Word Press Plugin with Over 1 Million Installs.

Mitigation of SQL injection

  • Trust no one: Assume that all data given by users is malicious, and check and sanitize everything.
  • When feasible, avoid using dynamic SQL and instead use prepared statements, parameterized queries, or stored procedures.
  • Update and patch: SQL injection vulnerabilities in apps and databases are frequently identified, thus it's critical to install fixes and updates as quickly as possible.
  • Web application firewall (WAF): To assist filter out malicious data, consider using a web application firewall (WAF) - either software or an appliance. A WAF can be very beneficial for providing security protection against a new vulnerability before a fix is released.
  • Reduce the size of your attack surface: Remove any database functionality that you don't require to avoid a hacker exploiting it. 
  • Maintain your secrecy: Assume that your application is insecure and secure passwords and other confidential data, such as connection strings, by encrypting or hashing them.
  • Don't forget the fundamentals: Passwords for application accounts in the database should be changed on a regular basis. This seems obvious, but in practice, passwords are frequently left unchanged for months or even years.

PREVENT SQL INJECTION WITH MRC

MRC’s Access control policies includes the practice of limiting users' access rights to only the resources they need to conduct valid, everyday tasks. Privilege access management can assist you in protecting your data from illegal access. The principle of least privilege establishes a minimum set of user rights that allows a user to access just those resources that are required to execute his or her job. It decreases the danger of unauthorized users, apps, without affecting the organization's overall productivity.

With our contextual based Access control we can limit users based on:

  1. Role based access control
  2. Time based access control
  3. Location based access control
  4. Network based access control
  5. Domain based access control

With MRC's server administration solution, maintaining server security is now easier than ever. A secure solution with built-in server security capabilities provides cutting-edge security while allowing you to focus on your business. With features like graphical session monitoring, our server administration solution helps you safeguard and manage your SSH key life cycle with our next-generation AI technology.

 

 

 

 

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


Business leader with 28 years of global business management experience and with deep exposure to IaaS, PaaS, SaaS, Business Analytics and Cyber Security practices.

© Copyright nasscom. All Rights Reserved.