We are constantly dealing with the issue of security, when working with technology. For that reason Netshock have decided to launch a security series, covering one type of hacker technique each day. The reason for this is, once you fully understand what each type of attack means, you’ll be in a better position to prioritize which to tackle first and at which points you are most vulnerable.
There are lots of different techniques used by hackers – a few of which are outlined below. We are going to provide an overview of each and suggest some tools and techniques which may help protect you from such attacks.
- Cross site scripting
- Click jacking
- Social Engineering
- Cross Site Request Forgery
- Remote Code Execution Attacks
- Brute force attacks
Today, we will cover SQL injection attacks. Whenever you use SQL to display data on a web page, you make yourself susceptible to such attacks. Let me give you an example of an SQL Injection attack. Let’s say you run an online store, within that store you have all sorts of filters to help people find the product that they specifically want. So, maybe you have a filter on price, type and colour of product.
Each time the user uses that filter, you’ll query your SQL database to find updated results. SQL injection is the process of ‘injecting’ an extra bit of SQL into your query, pulling data out of your database that you did not want them to access (for example, customers personal details).
There are ways to defend against SQL injection attacks. The first is to run validation on your queries before executing them. What I mean by that is, you should dynamically check and validate a query as it is executed, to ensure that the parameters in the query are ones that you allow your clients to access. Further, you should validate against field type, format and range.
Next, you should make sure that you are not using your root MySQL database user to query your database. You should rather use a profile that has restricted permissions. This ensures that unwanted queries cannot be executed by an attacker, simply because, the profile does not have the authority to do so.
Finally, try to avoid showing database error information to users. You should try your best to show a custom error page. This is because, SQL often includes sensitive information within its error pages. To avoid this information being abused by a savvy hacker, we should try to hide it.
As a side note, even if your site is SSL protected, you are still susceptible to SQL injection.
This article was brought to you by Netshock. Netshock is your technology blog, providing technology news, guides and insight.