SQL injection: Developers fight back

SQL injection is one of the newer attacks aimed at Web application security in the cybercrime world. It is targeted at your database, which stores sensitive information of your employees or customers. This type of attack exploits vulnerabilities in your application to access your database by manipulating the SQL queries in your application via the input boxes of your Web form.

A lot has already been written on how SQL injection attacks are done, so I am not going to go into that. I have some links at the bottom for you to get more information on how this attack works.

What I want to do is take a look at 10 steps you can take to prevent applications from being vulnerable to this type of attack.

1. Install the database on a different machine then a Web server or application server. Make sure all the latest patches are applied.
2. The database should have all the default accounts and passwords disabled, including the superuser account. Create a new account under a different name with similar privileges if required.
3. Create an application user account in your database that has minimum privileges in order for that application to access the data. Remove all the sample tables. Disable or delete any system stored procedure that is not required by that application user.
4. Identify the list of SQL statements that will be used by the application and allow only those SQL statements from the application, such as Select, Insert, Update, etc.
5. Use read-only views for SQL statements, which do not require any inserts or updates, e.g. Authentication SQL.
6. Use stored procedures instead of SQL wherever possible.
7. Employ proper error handling and logging within the application so that a database error or any other type of technical information is not revealed to the user. ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchSoftwareQuality.com

   As an existing member of the TechTarget network please activate your SearchSoftwareQuality.com account 

   By joining SearchSoftwareQuality.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   

   << PREVIOUS | NEXT >>: SQL injection: Secure your Web applications

   VIEW ALL IN THIS CATEGORY

   
   

   RELATED CONTENT Application Security Strategies Application security checklist: Ways to beat cross-site request forgery Web server weaknesses you don't want to overlook Application security checklist: Finding, eliminating SQL injection flaws Rich Internet applications security testing checklist The lowdown on PCI compliance Web 2.0 application security troubleshooting, testing tutorial Expert resolves issues plaguing OpenSTA users Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Building security into the SDLC (Software development life cycle) ALM boundaries are expanding in application development Top software testing and quality assurance news stories from 2009 Aligning business goals with Focus Stories Which requirements have the greatest effect on quality in software development? How to write an SRS document for three different databases Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step Threat modeling Web application security and the PCI DSS The essentials of Web application threat modeling How to implement security in Java EE and Java ME Application security shouldn't involve duct tape, Band-Aids or bubble gum Stop SQL injection attacks on applications How to counter XSS attacks Breaking the same origin barrier of JavaScript Protection against "zero-minute" exploits Denial of service and Ajax CSRF attack vector with Ajax serialization

   RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary SQL injection  (SearchSoftwareQuality.com)

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   

8. Choose names for tables and fields that are not easy to guess. For example, fieldname of an e-mail address could be "x_eml" or "olb_mail_addr" and the name of the table could be app_usr_det.
9. Use dynamic queries instead of static queries. For example, in Java, use PreparedStatement instead of Statement object.
10. Sanitize the input by validating it in your code. I will categorize the input in two categories:
    • Authentication input, such as username and password
    • Other form field input, such as registration, forgot password, feedback and suggestions

Input validation
Let's explore input validation further. Usually, any Web application has some input boxes to collect data from the user. When a Web form is submitted, the input values are submitted to the application running at the server. The application should validate the input before processing it. Certain steps can be taken to protect the application from malicious input.

Authentication input: Authentication being the entry point of the system is a more sensitive area, and the likelihood of an attacker trying SQL injection here is extremely high. Moreover, if authentication is compromised, then the attacker has unauthorized entry into your system. Some of the techniques we can implement here include the following:

1. Validate the username and password fields when they are entered into the system as shown in the example below.
2. Use a read-only view in the database to authenticate a user with the username and password stored in the database. That would prevent an attacker from making any modifications in the database to gain entry into the system.
3. Encrypt the username and password in the database and validate them using one-way encryption. If an attacker tries to inject a query in the username or password boxes and somehow manages to bypass the input validation techniques, the input values when encrypted and verified against the values stored in the database will not match.
4. Log every successful or failed login attempt. This log will help not only in establishing a pattern of attack, but also in identifying any new techniques adopted by the attacker. This later can be used as an input to prepare a security patch for the system, if the system is still vulnerable to that type of attack.

Other form field input: Let's take a look at some of the common form fields that are usually available before authentication and what can you do to prevent SQL injection attacks in those fields.

1. Forgotten password:
   1. Usually applications ask for only the e-mail address. Some of them ask a challenge question and answer for further validation before sending the password to the user via e-mail. This helps attackers guess the e-mail address. If you instead ask for e-mail address, first name and last name, the applications make it difficult for the attacker to guess a valid user.

   2. Validate the input as shown in the example below.

   3. If any of the information provided did not match, display a generic error message, such as "Your information did not match" as opposed to "Your e-mail did not match". This will keep the attacker guessing as to what did not match.

2. Registration page: This page usually consists of multiple fields. Apply the appropriate validation techniques for different fields based on the sample code below.
3. Feedback and suggestions: If this is stored in the database, then it should be stored as a CLOB. Using PreparedStatement and storing it as a CLOB will protect it from most types of attacks.
4. Contact Us: If there is no reporting or tracking requirement for this information, then architects should avoid storing this information in the database. Accept the form fields and send them as an e-mail. That gives you one less area to protect from SQL injection.

Input validation techniques
Ideally, architects can define in the design phase what type of input is expected (alphabets, numeric, alphanumeric) and what characters are allowed for that type of input. Let's take a look at an example with sample code in Java.

Username validation -- The following rules will apply:

1. It can contain the following alphabets a-z, A-Z, 0-9, _,
2. It is a single word and hence no spaces allowed
3. Maximum characters allowed -- 30
4. No escape characters allowed

Sample code:

For numeric input, convert it to integer as well before appending into your SQL query. If it throws a NumberFormatException, then it is not a valid input.

It might get a little tedious to define rules for all the individual fields. In such scenarios, architects can divide the fields into multiple categories, such as single word, multiple words, multiple words with punctuations, e-mail address, numeric input, etc., and define rules for those categories.

As you can see, by taking certain measures, you can avoid common vulnerabilities and create more secure Web applications. After all, every step, however small, is a step forward in securing your application.

More information:
List of SQL injection attacks by example

• SQL injection: Are your Web applications vulnerable? (PDF)
  
• SQL injection walkthrough

List of escape characters

• http://www.lc.leidenuniv.nl/awcourse/oracle/text.920/a96518/cqspcl.htm#20741
• HTML Escape Characters: Complete List

-------------------------------
About the author: Anurag Agarwal, CISSP, works for a leading software solutions provider where he addresses different aspects of application security. You may e-mail him at anurag.agarwal@yahoo.com.