SQL Injection Attacks and Preventions

/in /by

SQL Injection Attacks and Preventions

Name:

Number:

Course:

Lecturer:

Major concerns

There are various major concerns that information security professionals and SQL database administrators should have with SQL injection attacks. The first concern is the Authentication bypass where the attacker logs on to the application possibly with administrative privileges without providing a suitable user name and password. Second is the sensitive information disclosure. Third is the compromised data integrity which involves illegal modifications of database contents. The other concerns are the compromised availability of data and remote command execution where the attacker compromises the host operating system by means of database command execution (Sammut & Schiffman, 2013).

Why attacks are popular by hackers

These attacks are popular among hackers, both malicious and ethical because of the following reasons. First is the insufficient input validation when using SQL statements to build web applications, second is the improper construction of SQL statements in web applications. These two reasons expose such applications to injection attacks. In addition, some attackers participate in such activities as a means of doing online business to earn a living, making it hard for them to stop the activities (Sammut & Schiffman, 2013).

Best practices for protecting against SQL injection

The two most critical best practices for protecting against SQL injection attacks include detection and blockage at the application traffic flow and at the network traffic flow. The defense in the application traffic flow involves the use of validation of data supplied by the user in the form of either whitelisting or blacklisting. It also includes the construction of SQL statements in such a way that user data can not affect the statement logic. The defense in the network traffic flow involves administrators and developers adding security to the available application. This addition is done by leveraging technologies within the network, particularly intrusion prevention systems. The detection and prevention of SQL injection attack in this case is carried out by means of intrusion prevention system (Wichers, Manico & Seil, 2014).

I do not fully believe that there are significant efforts for security professionals who implement these best practices. This is because of the ever existing reports of hacking especially by Chinese to American websites and other sites as well. If the professionals were committed enough, then such reports could be part of history by now.

References

Sammut, T., & Schiffman, M. (2013, April 5). Understanding SQL Injection. Retrieved on 18th /02/2015, from http://www.cisco.com/web/about/security/intelligence/sql_injection.html.

Wichers, D., Manico, J., & Seil, M. (2014, April 12). SQL Injection Prevention Cheat Sheet. Retrieved on 18th / 02/2015, from

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet.