SQL Injection Protection in Cloud Systems
SQL Injection
Structural Query Language (SQL) is a language used to program and manage data in relational databases. Originating in 1986, SQL has gained so much popularity due to its practicality and ease of use that these days most databases are formed around an implementation of SQL, for instance, MySQL or Microsoft SQL Server. Databases can hold sales data, customer information, medical records and financial information, meaning their contents could have enormous value. Therefore, they have been heavily targeted by malicious parties since the early days of computing.
Apart from the regular vulnerabilities that could be exploited to gain access to the system holding the database, there is another method of attack which could be utilized to gain access to the contained information or even to eradicate the data; SQL Injection.
SQL Injection attacks target the database directly by attempting to interact with it via for instance a web form field or a URL. The goal there is to send commands to the server which will then return an entire table containing usernames and passwords or even credit cards. This is how many of the massive breaches (up to 100+ million users) over the last decades have occurred.
Protection
There is a lot that can be done to prevent such an attack from being successful, but the solutions can be quite complicated. Input Sanitization is the primary prevention method, after all, why allow a malicious command to be executed in the first place?
Without going into too many technical details (there are many books written about the endless way to perform SQL Injection attacks), imagine a web form asking for a username. Once entered, the provided username will be taken as input and will be processed in the background, for instance, to write it to a table in a database or to compare it to existing entries. This web form allows for interaction with the database, and if the attacker can supply input that escapes the underlying code and then execute his or her own commands, they could be processed as well. A few clever, quite simple commands could return hundreds of thousands of otherwise hidden database records to the attacker. Some attack methods can even create additional admin-level accounts within the server.
It is therefore critical that all input into web forms (and associated HTTP POSTS) is properly sanitized. A programmer, for example, should not allow for individual characters to be used, should escape strings where needed and should use Prepared Statements wherever possible, amongst many other best practices. However, unfortunately, everyone makes mistakes and sanitization is complicated and time-consuming.
Another (additional) option is to filter incoming traffic for suspicious input via a Web Application Firewall or IDS/IPS solution. This would allow for the traffic to be dropped or alerted on before it even reaches the web server. These solutions can be expensive, however. They also present some challenges around encrypted HTTPS traffic. In that case, for a WAF or IDS device to be able to inspect traffic for malicious content, SSL interception will be needed, which can impact performance and can be even more expensive to implement and operate. By no means, these systems are a replacement for proper input sanitization on the server itself. Quite often these 3rd party products are not aware of the type of data or system they are trying to protect, leaving many opportunities open to a smart attacker.
Cloud solutions
Because database and web servers are ideal candidates to be running within a semi-isolated, highly scalable and highly available cloud environment, they represent a significant percentage of the systems within the various cloud platforms. This means cloud providers also have a role to play in the protection against SQL Injection attacks. It is great to see that providers do offer various products in this space.
Probably the most advanced solution is offered by Microsoft Azure: SQL Database Threat Detection. For just $15 per server per month, this service produces alerts based on SQL injection, anomalous database access patterns, and potential vulnerabilities. This is a comprehensive service that would not have been available for such a low fee if the servers were running on custom hardware and software within an organization's own on-premises network. There would simply be too much to customize. This is really where the cloud shows one of its many benefits: low pricing due to standardization and its massive scale.
Of course, other providers offer these types of protection as well. Amazon, for instance, offers a virtual cloud version of the earlier mentioned Web Application Firewall. Not only is there a requirement to place the WAF in the same cloud as the web and database server to intercept incoming web traffic, placing the WAF in the cloud has some further benefits as well. Like many other cloud services, the ease of deployment (no need for hardware in the datacentre) and configuration and full integration with other cloud security products, like a DDoS protection product make this something to strongly consider when running a web and database server within any cloud platform.
Again, these cloud security products would be additional to a securely designed web front end and backend, which should include comprehensive input validation and fully patched systems.
11 courses, 8+ hours of training
Conclusion
When it comes to publicly accessible web and database servers, an organization does not get a second chance. Once the data is compromised, it will forever be in the public domain. More often than not, this leads to a loss of reputation, a substantial financial impact, but also to legal battles around compliance and due diligence. Hardening servers, applying input sanitization and building a layered defense of security products such as IDS and proxy devices is a good start. On top of that, it is well worth considering going that additional step and moving these systems to a cloud provider and then purchasing the database specific security products mentioned earlier.
In this Series
- SQL Injection Protection in Cloud Systems
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security