SQL Injection Attacks
IN08-002
Date: 23 June 2008
Purpose
The purpose of this Information Note is to encourage organizations to proactively ensure their web presence is not impacted by the threat of SQL injection attacks. Compromised servers could unwittingly infect the computer systems of users visiting their site through redirection scripts inserted in the web pages html code. CCIRC urges all website administrators to scrutinize how they secure their web pages and SQL databases. Organizations are also reminded to remain vigilant to emerging internet threats.
Assessment
Background
SQL (Structured Query Language) is a computer programming language designed for use in databases. The term SQL injection means to insert alternate programming code designed for malicious purposes. The goal of SQL injection is to influence the outcome of a database interaction by inserting SQL keywords instead of the expected data.
CCIRC is currently aware of increasing cyber attacks plaguing the internet resulting in compromised systems. Compromised sites are unwittingly redirecting client browsers to malicious external domains that attempt to compromise the visitor’s system.
As well, based on several reports of the reinfection of systems that were apparently fixed, it has become evident that many administrators are using only short-term fixes, instead of long-term fixes. Short-term fixes such as database backups only work temporarily, and the system itself remains vulnerable.
Analysis
SQL injection attacks are used to add html tags to the database, which can then be appended to existing data or to new entries. A web page using data from an affected database will send the redirecting tags to the browser. Web pages interact with databases either to update their content or to access other forms of information. Malicious websites can host a variety of malicious code, which may or may not be detected by anti-virus scanners. Most users who visit a compromised site do not know that their computer is being infected with malicious code, such as keystroke loggers and information stealers leaving them vulnerable to spam, fraud or identity theft.
Impact
Web applications that remain vulnerable to SQL injections can be infected and re-infected, and subject visitors to the website at risk to malicious code infections. Failure to ensure the appropriate counter measures are taken to prevent SQL injection attacks can result in the unauthorized and criminal use of vulnerable web applications to propagate and promote malicious activity. Visitors to compromised web sites will be infected if not adequately protected.
Suggested action
A detailed Technical Report, TR08-001 Alleviating the Threat of Mass SQL Injection Attacks, is available at:
TR08-001 Alleviating the Threat of Mass SQL Injection Attacks - ver 1.0.0 Final.pdf (PDF 80KB)
Additional Information
Additional mitigation techniques may be found at Open Web Application Security Project (OWASP) website:
http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java#Defence_Strategy
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca