Skip to content

DA6. SQL injections

Statement

For this discussion assignment, review the Top 10 Web Application Security Risks

Select One of the following topics listed on the page:

  • Injections (focus on SQL injection)
  • Identification and Authentication Failures
  • Broken Access Control
  • Software and Data Integrity Failures

For your post, answer the following:

  • Explain vulnerabilities that allow the attack (as per your selection)
  • Discuss the purpose of the attack (as per your selection).
  • Explain countermeasures to mitigate and/or prevent the attack (as per your selection).
  • Give an example of the attack recorded within the last 12 months to the current date. Who was the victim? What damage was inflicted? What lessons were learned?

Solution

This text will discuss the SQL injection vulnerability.

According to (OWASP, 2021, 1), Injections were the first in the list of the top 10 web application security risks in 2017; and it has only shifted down to third place in 2021 as 94% of the applications tested by OWASP had at least one injection flaw such as CWE-97 XSS, CWE-89 SQLI, etc.

The main vulnerability that allows the attack is the lack of input validation and processing in which user input is allowed to directly reach the database layer and interact with it; that is, exposing the database layer to the end-user without any restrictions. The main cause of this vulnerability is the lack of validation due to lack of knowledge, laziness, or time constraints on the development team.

The purpose of the attack is to gain access to the database, and then (Kingthorin, n.d., 2):

  • Read sensitive data from the database.
  • Modify database data (Insert/Update/Delete).
  • Execute administration operations on the database (such as shutdown DBMS).
  • Recover the content of a given file present on the DBMS file system.
  • Issue commands to the operating system.

To mitigate and/or prevent the attack, the following countermeasures can be taken (OWASP, 2023, 3):

  • All user input must be escaped, parameterized, or sanitized as needed on the boundary of the application.
  • All database queries must be properly prepared using custom utilities or third-party libraries.
  • Add stored procedures to the database layer and use them instead of direct queries.
  • Use the least privilege principle to minimize the damage of a successful attack.

CVE-2023-6063 is an example of an SQLI vulnerability reported on 27 November 2023; it affects WP Fastest Cache which is a famous WordPress plugin with over 1 million active installations. The vulnerability involves a username extracted from the cookies without proper sanitization and directly used in an SQL query, which exposes the entire database to attackers if they manipulate the cookie in question. There are no spastics or reports about successful exploitations of this vulnerability, but it is noted that 600000 websites are still vulnerable to this attack, which is a huge number that may increase the possibility of attacks and amplifies the damage (Toulas, 2023, 4).

To conclude, SQLI is a very dangerous vulnerability that can lead to the complete compromise of the database layer and the entire application. It is very important to take the necessary precautions to prevent such attacks and increase the developers’ awareness of such attacks.

References

‌ ‌

  1. Introduction - OWASP Top 10:2021. (2021). Owasp.org. https://owasp.org/Top10/A00_2021_Introduction/ 

  2. Kingthorin. (n.d.) SQL Injection. OWASP. Retrieved January 10 2022 from https://owasp.org/www-community/attacks/SQL_Injection 

  3. SQL Injection Prevention - OWASP Cheat Sheet Series. (2023). Owasp.org. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html 

  4. Toulas, B. (2023, November 14). WP Fastest Cache plugin bug exposes 600K WordPress sites to attacks. BleepingComputer; BleepingComputer. https://www.bleepingcomputer.com/news/security/wp-fastest-cache-plugin-bug-exposes-600k-wordpress-sites-to-attacks/