Anatomy of a Web hack, SQL Injection edition

While there are many Web hacking exploits, none are as simple or as potentially destructive as what is known as SQL injection. This isn’t something new, but what is new is how frequent this attack happens, and how easy you can protect your network with relatively little effort and cost.

The problem is that Web developers tend to think that database queries are coming from a trusted source, namely the database server itself. But that isn’t always the case, and a hacker or even a casual browser can often take control over the Web server by entering commands that appear to be valid SQL commands in the right places. The trick is finding the right places.

In a white paper that I wrote for Breach Security, I show you exactly how easy this exploit is. You don’t need any specialized tools other than a Web browser, and you don’t need any specialized skills either. It doesn’t take much time, and the payoffs could be huge: an intruder could easily obtain a copy of your most sensitive data in about the time it takes to read through this analysis.

The paper walks you through what is involved with a SQL injection exploit, using examples of both a Web site that we found at random as well as one that had previously been compromised with the hackers publicly describing their methods in a Russian post on the Net. We will show you the consequences of doing nothing and leaving this front door wide open for anyone to walk into your data center. Finally, we will talk about ways that you can prevent this from happening in the future, and what choices you have to protect your Web sites and corporate networks.

You can download the entire paper here.

Leave a Reply

Your email address will not be published. Required fields are marked *