SQL Injection Attacks

IN08-002
Date: 23 June 2008

Purpose

The purpose of this Information Note is to encourage organizations to proactively ensure their web presence is not impacted by the threat of SQL injection attacks. Compromised servers could unwittingly infect the computer systems of users visiting their site through redirection scripts inserted in the web pages html code. CCIRC urges all website administrators to scrutinize how they secure their web pages and SQL databases. Organizations are also reminded to remain vigilant to emerging internet threats.

Assessment

Background

SQL (Structured Query Language) is a computer programming language designed for use in databases. The term SQL injection means to insert alternate programming code designed for malicious purposes. The goal of SQL injection is to influence the outcome of a database interaction by inserting SQL keywords instead of the expected data.

CCIRC is currently aware of increasing cyber attacks plaguing the internet resulting in compromised systems. Compromised sites are unwittingly redirecting client browsers to malicious external domains that attempt to compromise the visitor’s system.

As well, based on several reports of the reinfection of systems that were apparently fixed, it has become evident that many administrators are using only short-term fixes, instead of long-term fixes. Short-term fixes such as database backups only work temporarily, and the system itself remains vulnerable.

Analysis

SQL injection attacks are used to add html tags to the database, which can then be appended to existing data or to new entries. A web page using data from an affected database will send the redirecting tags to the browser. Web pages interact with databases either to update their content or to access other forms of information. Malicious websites can host a variety of malicious code, which may or may not be detected by anti-virus scanners. Most users who visit a compromised site do not know that their computer is being infected with malicious code, such as keystroke loggers and information stealers leaving them vulnerable to spam, fraud or identity theft.

Impact

Web applications that remain vulnerable to SQL injections can be infected and re-infected, and subject visitors to the website at risk to malicious code infections. Failure to ensure the appropriate counter measures are taken to prevent SQL injection attacks can result in the unauthorized and criminal use of vulnerable web applications to propagate and promote malicious activity. Visitors to compromised web sites will be infected if not adequately protected.

Suggested action

A detailed Technical Report, TR08-001 Alleviating the Threat of Mass SQL Injection Attacks, is available at:

TR08-001 Alleviating the Threat of Mass SQL Injection Attacks

Additional Information

Additional mitigation techniques may be found at Open Web Application Security Project (OWASP) website:

http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java#Defence_Strategy

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca