Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

SQL injections: used in 51% of cases by hackers

September 2017 by Sergio Loureiro, CEO of SecludIT

More than 300,000 vulnerable websites due to Wordpress Statistics. Also, all those using the famous CMS and who have not yet done the 4.8.2 update are vulnerable to no less than 9 security vulnerabilities. Constantly exposed, and while users attach an increasing importance to their data security, companies are struggling to remain protected. For example, injection attacks are the most common whereas a simple rigorous coding could avoid them. How do injection attacks work, in particular Structured Query Language (SQL) injections, and how to avoid them? If WordPress continues to be a target of choice for SQL injections and still brings regular correctives, it’s not for nothing.

In addition to SQL injections, the simplest to implement and the most common injections attacks, other more complex ones can also be launched such as XPath, LDAP (which Joomla was the victim), XML (XXE), commands or logs ... These are easily exploitable vulnerabilities with potentially serious consequences: corruption or theft of data, denial of access, and can go as far as the total control of the host. This is why injections are always the main risk according to the Top 10 published by the OWASP.

SQL injections (which constituted 51% of cyber attacks on web applications in the second quarter of 2017, according to an Akamai report) are often launched via a form on the attacked website. Thus, by injecting characters or lines of code, hackers can connect to user spaces without passwords for example. At a higher level, attackers can reach and corrupt websites databases (customer or internal databases). The SQL language is varied and allows to make many actions. Companies have to be careful about double queries, blind or partially blind injections, which are more dangerous.

The PlayStation Network (PSN) was attacked with this technique in 2011, exposing the personal data of 77 million players around the world as well as the bank cards of about ten thousand of them.
It is also thanks to an SQL injection that Russian hackers stole more than 1.2 billion identifiers and passwords from over 420,000 websites around the world in 2014.

The consequences for businesses are various. Their security negligence, made public by the attacks, negatively impacts their images on the one hand and lead to financial losses (compensations to the victims, decrease of activity) on the other hand. Indeed, according to an NTT Com Security study published last year, the average cost of a cyber attack would amount to 773 000 € and a company would take 9 months to recover. With the taking effect of the GDPR on May 25, 2018, an improvement could be expected. In fact, it will impose a better customers personal data protection on companies. They will be criminally responsible (penal). Therefore, the risk must be taken seriously, because fines may represent 4% of the turnover, within the limit of 20 million euros.

Injections cyberattacks are, paradoxically to the damage they can cause, very simple to avoid. Some steps must be taken to prevent SQL injection attacks:
• Stop using dynamic queries
• Integrate security checks (input validation)
• Provide parameterized database queries: adapted to each code language, they prevent attackers from changing queries intents (even if SQL commands have been inserted by a hacker)
• Use stored procedures: they are not always effective but some may have the same effect as parameterized queries. The difference with these is that the SQL code is defined and stored in a database.
• Use the input validations of a Whitelist: to be used if the previous techniques are not suitable and to apply in secondary solution.
• Use captcha queries (characters to copy, "I’m not a robot" boxes to tick): widely used to protect forms and allow better intern information processing.

When building the website, the application of good security practices from the first lines of code constitutes the first defense against cyber attacks. A properly secured website will take longer to achieve but will provide some peace of mind.

The difficulty for companies is to know if their IS are vulnerable. Few knows about their real level of risk and the security breaches that hackers can exploit. In order to correctly check its IT, it is necessary to turn to cyber risks evaluation solutions. It will be the opportunity to analyze its entire infrastructure to detect any bad configurations or vulnerabilities, especially on extinct servers waiting to be restarted. "To go further, it is recommended to choose a solution that performs these analyzes continuously in order to be alerted when a new vulnerability is detected, recommend Sergio Loureiro, CEO of SecludIT. “Companies need solutions that adapt to their environment and make it easier for security teams to detect breaches".

If the solutions are simple, why are they not implemented? The fault of a too time-consuming vulnerabilities hunting, a lack of means and awareness of the danger by the companies. They do not realize that they can become the Equifax of tomorrow, especially SMEs. Indeed, 77% of cyber attacks concern SMEs and make them the main targets of hackers. It is said that prevention is better than cure. Preventive analyzes are the first step and can help prevent widespread cyber attacks such as injections. So why go without?


See previous articles

    

See next articles












Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts