SQL injection is such a common tactic in cybercrime that it’s been named a top security threat by the OWASP Top 10, a powerful awareness document representing the most critical security risks to web applications. If you’re not protecting your website from this type of attack, your business and customers are at risk.
So what is an SQL injection attack, and why is this method so popular among professional and amateur cybercriminals?
There are different types of SQL injection attacks, but they all involve injecting modified SQL queries within input fields on an online form. This method essentially returns sensitive, sought-after data within the database, such as usernames, passwords, credit card data and other personal identifiable information (PII).
In some cases, an attacker can breach an application’s database through a website form designed to accept user input, which is then passed to the website’s back-end database. In others, the attacker may modify cookies to poison a database query or forge HTTP headers to inject code in the database if the web application fails to sanitize those inputs.
Cybercriminals love SQL injection because it’s versatile. It can be used to modify or destroy proprietary data, steal customer information and take complete control of a website. And it’s not always easy to detect. Even if an application correctly sanitizes user input to prevent an immediate attack, that poisoned data will be stored locally and can wreak havoc when used in a different context in the future.
The Allure of Data
Cybercriminals who deploy SQL injection attacks are usually after the same thing: sensitive data. Their goal is to pinpoint vulnerable database servers in order to hijack the data being stored — usually PII — which can then be sold to the highest bidder on the dark web.
Why is PII so valuable? Imagine you had the personal information belonging to a physician who bills healthcare payers electronically. You could make a fortune sending fraudulent bills to insurers or to Medicare. On the dark web, you could purchase the records you need to carry out that operation for about $500 — but you would stand to gain millions.
Medical records aren’t the only PII that cybercriminals are after, though. Any small business that collects and stores data on local servers is vulnerable to SQL injection attacks. That includes ecommerce companies, real estate, law firms, smaller banks and agencies. Website owners who collect information such as home addresses, phone numbers, birthdates and Social Security numbers present an especially appealing target for attackers due to the quality of information.
How to Prevent SQL Injection Attacks
In some cases, an attacker can breach your site undetected, and the effects of a second-order SQL injection attack may not become obvious until long after the initial attack. In others, you may notice signs such as modified posts or comments on your website, new admin users, modified passwords or a disconnected CMS. Fortunately, there are ways to prevent SQL injection attacks before they occur. Start by following these steps:
1. Keep software up to date. Every site owner must diligently keep security patches up to date. That means performing updates as soon as they become available. It’s also important to keep plugins, themes and your CMS core files updated at all times to prevent SQL injection attacks and other forms of malware.
2. Choose plugins wisely. Plugins may be useful to your website (because they provide enhancements for SEO, social media engagement and more), but they’re also useful to attackers. Every plugin represents an additional attack vector that can be leveraged to breach your site, so be thoughtful about the ones you choose to install. Remove the ones you don’t need or that haven’t been updated in more than a year, as these can result in weak entry points for your website due to outdated code.
3. Sanitize input fields. All user-submitted data on contact forms or other input fields is vulnerable to cybercriminals trying to gain unauthorized access to your database. Using an input validation function, such as a MySQL escape string, can ensure any malicious strings are not passed to an SQL query. Sanitizing input fields acts as a filter for user data to ensure only information that meets specific criteria can be entered. For example, if you ask users to enter their phone numbers, the input field should only allow numbers, dashes and parenthesis.
4. Install a vulnerability scanner. Automated scanners perform deep website scans to identify and patch vulnerabilities before cybercriminals can exploit them. These make your site more resilient to different types of SQL injection attacks as well as other malware.
5. Use a web application firewall. A WAF plays a significant role in preventing SQL injection attacks by filtering bad bots and malicious threats out of your site. While shopping around for a WAF, it’s best to look for one that utilizes the OWASP Top 10 threats to better protect against these stealthy attacks.
If your business doesn’t have the in-house security experts to prevent SQL injection attacks, you’re not alone. Using a comprehensive cybersecurity solution designed for small businesses can help protect your site against SQL injection attacks and other cyberthreats. Take advantage of them so cybercriminals won’t be able to take advantage of you.
Monique Becenti is a product and channel marketing specialist at SiteLock, a cloud-based website security provider currently protecting more than 12 million websites globally. Monique is passionate about improving the customer experience for all. SiteLock’s combination of dedicated research and developmental efforts, aggressive product road maps and access to a massive global data set make the company a leading innovator in web security.