Analysis: Why do SQL injection attacks still succeed?

By on
Analysis: Why do SQL injection attacks still succeed?
Sean Michael Ragan, CC2.0

Databases, web servers, middleware and WAFs are not properly secured.

The IT security world found out about SQL injection at about the same time as the software world was caught up in Y2K.

Because the Y2K problem was solved so effectively, many believe the Y2K scare was nonsense. The truth is that software development shops stepped up and performed heroics to rescue legacy systems from death by two-digit dating systems. They located flaws in old code and either fixed them or found ways to work around the problems.

How then has this same industry of software developers failed to put a solution in place for the SQL Injection vulnerabilities that have led to history's largest data breaches?

Or maybe it is not just the software industry to blame. Many software vulnerabilities have been fixed, patches and updates have been released, and secure configuration settings have been offered.

Are all the webmasters and site and database administrators out there paying attention?

When I think about what is really allowing SQL injection to remain so successful, four factors come to mind.

It is too easy to perform. Search for “guide to SQL injection” or “SQL injection how-to,” and you'll find a massive amount of detailed information on how such attacks work, along with examples. SQL injection becomes no more than a cut-and-paste job.

Change your search string to “SQL injection scanner,” and you'll find a myriad of free tools to download which pinpoint website vulnerabilities.

There is almost no limit to the number of easy targets on the internet.

Organisations don't expeditiously apply security patches to their applications or databases. By running old code, organisations expose themselves to attack by leaving known vulnerabilities in their internet-facing applications or the databases that support them.

These known vulnerabilities are typically well documented on the internet, complete with exploit code. It is a trivial exercise to download malware and hack into systems that are misconfigured or running unpatched software.

Organisations aren't doing a great job locking down their databases, web servers or middleware. The reason April's “Liza Moon” SQL injection attack was so widely successful was because ASP and ASP.NET server administrators had disabled input validation security features in their systems. With security effectively turned off, attacks became easy.

Then an access control misconfiguration in the databases hosting these websites allowed the attackers to use the SQL Injection vulnerability to write redirect scripts into the databases that exposed unknown masses of people to a well-executed rogue anti-virus scam.

SQL Injection is successful today because software developers continue to create vulnerable applications that are put into production, and because of a lack of awareness and education around secure coding practices, combined with a perception that building secure software takes longer and costs more.

Groups such as OWASP have published excellent educational materials on how to code securely and cost justify the investment in secure coding practices. The group has made tremendous headway, but everyone in the software world needs to pay attention for the problem to stop growing.

Web application firewalls (WAF) have been broadly deployed as a once-and-for-all solution to SQL injection. While a WAF can be an effective component of a layered defence strategy, it is by no means impenetrable.

Most WAFs require a tremendous amount of expert configuration and tuning before they provide effective protection. If a WAF hasn't been configured to know about a specific vulnerability, it is unlikely to prevent an exploit.

On top of the exposures created by poorly configured WAFs are the evasion techniques attackers have developed to bypass them. Search for “WAF evasion” and you’ll find dozens of techniques have been documented with more popping up regularly.


SQL injection can come in many forms, and can take the form of a sophisticated attack, but the vast majority of successful attacks don't go beyond the basics. We have the techniques and technologies at our disposal to put a stop to SQL injection. The IT world must get educated on the threat and become disciplined about ensuring that all components of an application stack are locked down and secure before deployment.

With hundreds of millions of records stolen in the last seven years, the time has come for the world to step up to the challenge and truly solve the SQL injection epidemic once and for all.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?