Q&A on SQL Injection ‘ or 1=1; —

from XKCD

Every once in a while I get an email from either a friend, client, mentor, etc that I really want to share with the community as a whole. Typically after I respond to the email, I try and get permission from the second party and include it on my blog (which I’m still fairly sure nobody actually reads).  Anyways, this was a really good question about SQL injection, so enjoy!

Hey Andy, I’ve got a question. In my courses I’ve been learning SQL. I’m trying to also look at it with a security perspective in defending from SQL injection attacks. Do you know of any good ways to actually practice or solid resources to learn. I’m half tempted to start running some queries on shoddy looking websites, but I really I wouldn’t do that. I’ve seen some Youtube videos and some stuff on W3, but thought I’d ask you what you think. How big of a vulnerability is SQL injection or how big of a priority is it to businesses now?

First off, I’m honored anyone emails me asking for my thoughts or opinions on a topic, so thank you. SQL injection has been an issue since it was first discussed around 1998 on Phrack.

Take a look at the OWASP Top 10 – 2017 (most recent copy at the time of writing this). The ten most critical web application security risks demonstrate that SQL Injection has been the top dog risks for quite some time. Things like cross-site-scripting, and cross-site forgery are up-and coming risks, but SQL Injection is king.

As for running queries or something like SQLmap against any website, I strongly recommend you do NOT giving away free pen-tests. That’s a quick way to get in trouble with the feds. What you want to do is test in your home-lab or find a purposely vulnerable site to hone your SQL injection skills. There’s a lot of blog posts out there already covering this content so check out this article about 40+ Intentionally Vulnerable Websites to (legally) practice your Hacking Skills. Additionally, if you’re looking to focus specifically on SQL injection, you should also check out Hack.me. They have a whole section specifically focused on SQL injection. Also, I’d be remiss if I didn’t bring up Metasploitable too. This is an amazing VM that is purposely vulnerable in many different ways. I haven’t checked personally, but I’d be shocked if there wasn’t a SQL injection vuln somewhere on there. Recently Rapid7 released Metasploitable 3. The setup is a pain. I’d recommend you check out the Metasploitable 2 VM first before embarking on MS3

Now the second question about how big of a priority is it to businesses is a very interesting question. I think it all depends on the business and the vertical. There are many exceptions to this, but many businesses that do not develop applications or websites, in my opinion, do not prioritize SQL injection as a viable risk to their organization. To them, the risk solely lies on the developer of the service, website, or software. They think they’re covered. To take this type of stance is foolish and irresponsible. Patches roll out monthly, if not more, remediating vulnerabilities in production code all the time. The vendor shares partial responsibility, but the client holds the majority of the risk relative to data breach. Solutions such as Web Application Firewalls do a good job in preventing and detection of SQL injections, however this is not enough. I’m personally fond of aggressive least privilege as well as heuristic behavior monitoring, risk-based policies, masking of sensitive information, and regular auditing of use and access…but yeah, that’s just me. 😉

Other industries and verticals that have more at stake with application development tend to rightfully prioritize SQL injection more so than others. To which degree however ranges from extremely aggressive to hardly not at all. The goal here is not to detect and respond but to prevent altogether. Several defence strategies would be to have multiple DB users and demonstrate the concept of Least Privilege. Also you would want to implement aggressive input validation and escaping all user-supplied input. If you’d like to know more, I strongly recommend you check out the OWASP recommendations for SQL prevention cheat sheet.

Oh yeah, be sure to check out Bobby-Tables.com. It’s a great resource for learning more and how to prevent SQL Injection.

Leave a Reply

Your email address will not be published. Required fields are marked *