What is SQL Injection? SQL (structured query language) Injection is a computer attack in which malicious code is embedded in a poorly-structured application. The malicious data then produces database query results or actions that shouldn’t be executed. This is an extremely common vulnerability in unsecured websites. Once an attacker has completed the injection, then they are able to extract any and all data in the database, which could be consumer information (such as addresses, credit card numbers, and even social security numbers). As you can see that information should be securely stored at all times.
SQLi or SQL Injection is one of the most common attacks known and performed by hackers each year. Even in 2017, after all of the latest breaches and leaks you think that companies would secure sensitive information that can leave their business at risk. In most cases all of the major companies like Google, Amazon, & Apple have defense in place against this vulnerability; However, many smaller companies still have not fixed this issue. Why is this vulnerability so common you may ask, because it takes literally no effort for someone to perform this attack. There are dozens of free applications that preform the whole attack process on the vulnerable website, with little to no computer science knowledge. (Ex. Havij) However, each program is different and the strength and complexity of the attack can be manipulated differently, from let’s say Kali Linux to Havij. Kali Linux is strictly a command line based attack with no graphic user interface; Havij is an automated program with a graphic user interface, all you have to do is put in the vulnerable website’s address and it does the rest for you. It finds all the details for you such as the integer type and database key words. It also has a MD5 hash password cracker; Once you get into the database and you find the information is encrypted, the program can crack it and reveal the encrypted data. This is exactly why it is so easy for someone with little computer knowledge and skills to gain access to sensitive data. These programs are all over the internet and can be found with a little digging.
How can you protect your small business from an SQL Injection attack? You can do this in various ways, such as hiring a pen tester (someone who you pay to literally hack your website and tell you exactly how to fix vulnerabilities) or using NIST standards (National Institute of Standards & Technology). NIST standards are very reputable and high respected in the cybersecurity and information security industries. There are always alternatives based on your budget, but I highly recommend staying up to date with all security standards because in the long run it will only benefit your business and economic growth.
Disclaimer: The purpose of this blog is to ensure the continuous growth and development of cybersecurity and IT knowledge. I DO NOT condone any malicious actions or anyone with malicious intent. Anything you learn from this blog is strictly meant for educational purposes ONLY.