Sin 4: SQL Injection

Overview of the Sin

SQL injection is an all-too-common code defect that can lead to machine compromises and the disclosure of sensitive data. Whats really worrisome is the systems affected by such vulnerabilities are often e-commerce applications or applications handling sensitive data or personally identifiable information (PII); and from the authors experience, many in-house or line-of-business database-driven applications have SQL injection bugs .

Ever wonder how bad guys get credit card numbers from web sites? They can do it one of two ways: SQL injection attacks is one method; the other is entering the front door you left open by opening the database port (such as TCP/1433 in Microsoft SQL Server, TCP/1521 in Oracle, TCP/523 in IBM DB2, and TCP/3306 in MySQL) on the Internet and using a default sysadmin database account password.

Perhaps the greatest risk is a SQL injection attack where the attacker gains private PII or sensitive data. In some countries , states, and industries, you may be liable should this occur. For example, in the state of California, the Online Privacy Protection Act could land you in hot water if your databases are compromised and they contain private or personal data. Or, in Germany, 9 BDSG (the Federal Data Protection Act) requires you to implement proper organizational and technical security for systems handling PII. And lets not forget the United States Sarbanes-Oxley Act of 2002, most notably 404, which mandates you protect data used to derive a companys financial statements adequately. A system that is vulnerable to SQL injection attacks clearly has ineffective access control and, therefore, could be viewed as noncompliant to these regulations.

Remember, the damage is not limited to the data in the database; a SQL injection attack could lead to server, and potentially network, compromise also. For an attacker, a compromised back-end database is simply a stepping stone to bigger and better things.