Security Vulnerability AdvisorySQL Injection Attacks

Nicholas DavisDecember 16, 2010

OverviewExecutive SummarySQL Injection Threat DefinedRisk of SQL Injection AttackImpact of SQL Injection AttackPotential Costs and PenaltiesThreat LevelRecommendationsOrganizational ConstraintsPhase I Immediate ResponsePhase II Medium Range ResponsePhase III Long Term ResponseSuggested Next StepsOther SourcesQuestions

Executive Summary

• A security related vulnerability in SQL software code has been identified

• Data at risk for unauthorized access, alteration, theft and misuse

• Both risk and impact are high, meaning overall threat level is high

• Take a three step approach to mitigate the threat

SQL Injection Threat Defined• Attacker adds Structured Query Language

(SQL) code to a Web form input box to gain access to resources or make changes to data.

• Usually, values are inserted into a SELECT query

• Interact with the database in illicit ways, including making unauthorized changes, which would damage data integrity

Example of SQL Injection

Risk of SQL Injection is High• Manual attack

• Automated attack

• Risk of SQL injection exploits is on the rise due to the proliferation of automated attack tools.

Impact of SQL Injection is High

• Allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

Costs and Penalties

• HIPAA, FERPA, PCI

• Fines, penalties, lawsuits

• Prison in extreme cases

• Image and reputation

Threat Level is High

• As both the risk and potential impact of an SQL injection attack are rated as high, the overall threat level is also rated as high, meaning that an SQL injection attack is very likely to occur and that the damage which could be caused by such an attack is capable of being devastating.

Recommendations

• It is recommended that the organization take immediate as well as phased-in action, to mitigate the risk of an SQL Injection Attack on our database application.

• Three phases, ranging from immediate to medium range to long term

Organizational Constraints

• Organizational constraints are extensive

• Complex work/project

• Time required (280 hours)

• Cost is $25,000

• Other priorities

Phase I - Immediate• Leverage the organization’s

centralized login service to place authentication protection in front of the database.

• Does not fix the underlying SQL injection software code, it does place a perimeter of protection around the vulnerable database

• Inexpensive, easy to implement

Phase II – Medium Range

• Next 90 days, develop a specific project plan and work plan to re-write the vulnerable software application.

• Present to upper management, outlining the risks and impacts of this threat and a solid case can be made for staff time and funding required to prioritize and fix the software application.

Phase III – Long Term

• As time and budgets permit, ask the software engineers to attend training sessions

• Will ensure that database software applications built in the future will has SQL Injection Attack security baked in from the beginning

Next Steps• Obtain management’s permission to immediately

proceed with the tactical authentication solution, to place a perimeter of security around the vulnerable SQL software code.

• Develop a presentation for upper management which describes the threat posed by an SQL Injection Attack and ask for their permission to develop a project plan and work plan to re-write the vulnerable database software application, beginning three months from now.

• Contact the education department and ask them to research dates and costs for SQL Injection Attack training for software engineers, over the course of the next year.

More Details

• http://www.owasp.org/index.php/SQL_Injection• http://www.owasp.org/index.php/SQL_Injection_

Prevention_Cheat_Sheet• http://en.wikipedia.org/wiki/Sql_injection

Questions

• Is the information clear?

• Would you like more details?

• How would like to proceed?

• How can I help you?

• Other