In Depth Look at SQL Injections!

For this blog post I will be discussing SQL injections what this type of attack is, how attackers execute this attack, a real-world example of people exploiting this vulnerability, and how to successfully prevent an attacker from exploiting this vulnerability on your application. To begin a simple definition of an SQL injection is if your code is poorly designed making it possible for an attacker to pass query code through an input box so that it is recognized directly by the back-end database. From doing this the attacker could then manipulate the database and then be able to access potentially admin level information. Which could let the admin see company data, and user information and much more damaging information in the hands of an attacker.

 

 

A more in depth look at this attack is if an attacker where to use structured query language (SQL) to pass through a user input box into the database directly. This would mean that the attacker must understand how to use SQL to manipulate the database. Some examples of what an attacker could enter to help manipulate the database could be something like: “1=1.” The statement 1=1 would always be true causing the database to reveal information that the attacker put before the true statement. Another example of this attack would be using unfiltered characters that the programmer did not specify. So, an attacker could use a character like a semi-colon to separate fields.

 

 

SQL injections seem to be the bare minimum of security when it comes to a program with a database. The way to prevent them is relatively easy with preventing them a programmer should instantiate user-input validation along with a web application firewall. When I looked up real-world examples of an SQL injection attack, I was surprised to find that this simple attack was used in the largest scale of identity theft ever. This was later coined as the Great Cyber-Heist which started in July 2003 when an NYPD detective was looking into car thefts and saw a suspicious looking person by an ATM. The person took out one debit card and withdrew hundreds of dollars, then took out a different debit card did the same, then another and another. This caused the detective to go confront the person who was later identified as Albert Gonzalez. Gonzalez wasn’t withdrawing his own money he was using blank debit cards with stolen card numbers and taking as much cash as he could get. Luckily for Gonzalez the secret service electronic crime force was investigating credit and debit card fraud in the area but were not making any headway. So, this agency decided to cut a deal with Gonzalez since this crime force had little to no idea how people were stealing credit and debit card information, if Gonzalez helped them, he would not go to jail for twenty years. Naturally Gonzalez took this offer and began to help indict people that he worked with on a site called shadowcrew.com he was able to help indict about a dozen people he worked with on the site. One secret service agent described Gonzalez as: “He could be very disarming, if you let your guard down. I was well aware that I was dealing with a master of social engineering and deception. But I never got the impression he was trying to deceive us.” By 2006, Gonzalez was commended for his work and paid, he would later speak at seminars to help inform the secret service how he was able to carry out these attacks. Except what the secret service didn’t realize is that he and a few other people were able to acquire around 180 million debit/credit cards while he was assisting the secret service. During the first three years he was still working on stealing credit/debit cards from people, but by 2007 Gonzalez figured out a way to steal far more card information. He and his team of black hats used SQL injections they targeted different retail stores. They would study a company’s terminal as well as download the schematics and software manuals then find the vulnerability they could use and be able to manipulate the database of these different companies. The team of black hats was able to manipulate the databases so that whenever a credit/debit card was swiped it would log the card into the attackers file. This technique helped them steal a 180 million cards until the secret service started to suspect Gonzalez and began following him. Eventually, they found records of all the cards he stole and was later put in prison for 40 years the longest cyber crime sentencing ever.

 

 

Gonzalez was able to execute the largest scale of identity theft ever recorded taking millions of people’s card information from using SQL injections. All he and his team had to do was study the terminals and find out if the code was vulnerable to a SQL injection and they were able to steal millions of people’s information. Preventing an attack like this is simple as far as computer security goes. If you are creating a program with user input, you must implement user-input validation. This is to make sure that an attacker cannot use specific characters when entering something into a user field, so if an attacker were to use a character that could be seen as SQL it will not be recognized as code for the database. Instead what will happen is the code should throw an exception and display that the entry is invalid. Another way to help prevent a SQL injection attack is to use a WAF (web application firewall). A WAF will help filter and block suspicious HTTP traffic, it is a good practice to have both a web application firewall and secure a programmer’s code as well to ensure that the application will be protected against a SQL injection attack.