Blocking SQL injection | Cloud-Based Platform AIONCLOUD

AIONCLOUD BLOG

Share information related to AIONCLOUD !

Back to BLOG Main

Blocking SQL injection

SQL Injections may be the easiest way of web attack. First founded in 1998, it is one of most well-known threat. But how is it, after almost 20yrs past, still listed as high risk attack in OWASP Top10? SQL Injection is an attack form using the language "SQL" that communicates between the Web server and the DB server. The user and the web server communicate using HTTP, and the web server takes the information from the DB server and delivers it to the user. This attacks using the SQL language that the DB understands, so if the DB server understands the SQL statement (if it can handle it), it will deliver the result directly. Therefore, there are variation on this attack such as data insertion, inquiry, and deletion as well as authentication bypass. In order to understand this more clearly, you will need to understand how DB system and login works. When using a login or web service, the user sends a request value, and the required data is inquired by the web server to the DB server. If the web service needs to accept all request values, such as login attempts, the user should be allowed to receive the data or block them. The web server inputs and receives the data received from the user in the specified SQL statement. Then the DB sends the result of the corresponding value to the web server to process the contents. Assuming this as a login attempt, the user with a permitted account will receive a login success, and an unauthorized account attacker will receive a login failure result. The first step to prevent SQL injection, is to block the SQL query command execution. As mentioned earlier, SQL injection is performed because the Web server and DB server can understand the contents. Therefore, it can defend most forms of SQL injection attacks by preventing the command from executing. For example, if a SQL query type is entered on the login screen, you can restrict most attacks by limiting the input. Second, you can block special characters in URLs or input boxes, as special characters are used to complete SQL injection. Thus simply blocking the special characters can be a good way of defending SQL injection. Third, remember all communication type between web server and DB server, and to block all communication that’s not compatible. This method is the best way to block SQL injection. Since most of the source code of the web server communicates with DB, most forms of communication are fixed. The surest way to block the attack is to block any visible miscommunication with full acknowledgement of fixed communication structure. In case all the above protection method didn’t work, and you were infiltrated with SQL injection, what you want to do is to set the web server’s DB server authority to the minimum. If the web server is compromised, the attacker can delete or change the information on the DB, causing secondary damage. However if the webserver’s authority is limited to insert or select, the attacker will only be able to write or read the data. Although that was the original purpose of the SQL injection.

Scroll Up