Академический Документы
Профессиональный Документы
Культура Документы
| ZDNet
The way that Yahoo! was hacked, SQL Injection attack, is the same method as many other hacks in the news recently: SQL Injection. SQL Injection attacks are common for the following reasons: The prevalence of SQL Injection vulnerabilities Databases are attractive targets because they typically contain critical application information The approach (i.e., the hack) is not new and is well documented on dozens of forums
(http://techcrunch.com/2012/07/12/yahoo-confirms-apologizes-for-the-email-hack-says-still-fixing-plus-check-if-you-
were-impacted-non-yahoo-accounts-apply/)
reported that many users were employing ridiculously weak passwords such as
12345 and password, having a strong password, as I wrote about recently in Fighting back against Anonymous, LulzSec and the global cyber insurgency (http://www.zdnet.com/fighting-back-against-anonymous-lulzsec-and-the-global-cyberinsurgency-6001080451/)
, is worthless if the site servers or applications are not configured or patched appropriately.
So, what is a SQL Injection attack? The point of an SQL Injection attack is to compromise a database, which is an organized collection of data and supporting data structures. The data can include user names, passwords, text, etc. Structured Query Language is the programming language used to manage data in a database; more appropriately, a relational database management systems (RDBMS). The types of management systems that employ Structured Query Language include Microsoft SQL Database, Oracle, MySQL, PostgreSQL, and others. A simple example to get basic table name information would be the following: Select * from table_name : This statement uses a wildcard (*) to return the contents of the table. The hack could also include inserting information into the database, like a new user for the purposes of doing bad things. insert into users(username,userid) values("HackerBob","hb123"); The point of the hack is not just to get information from the target site. Depending on the intention of the malicious hooligans attacking you, it can include to bypass logins, to access data as in the Yahoo! case, to modify the content of a website as when hackers replace the website with a new front page, or simply shutting down the server. Often it is a combination of the above. Step one of the attack is to scan sited to see if a vulnerability exists. Believe it or not, a hackers best friend is Google. Employing Google Dork, a hacker is able to search for vulnerabilities using Google tricks. After a site is identified a hacker will attempt to gain a foothold and search for files containing usernames and directories that are known to contain sensitive data. The attack is opportunistic and does not take a lot of research or a large team to pull off. Infact, you can go to Google directly and enter one of the following commands as illustrated in a Ethical Hacking Tutorial
1 of 9
SQL Injection Attack: What is it, and how to prevent it. | ZDNet
(http://www.breakthesecurity.com/2010/12/hacking-website-using-sql-injection.html)
online:
From the listing of sites that Google returns, you will then need to checked each site for vulnerabilities. www.TargetSite.com + inurl:index.php?id= In fact the first site that comes back when you run inurl:article.php?id= in a Google browser is also the topic of discussion on a hacker site HackeForums.net (http://www.hackforums.net/index.php) . The discussion starts: http://www.targetsite.org/article.php?id=129. SQL The website is listed as having only one column, so I run into problems when I try to... The forum allows for collaboration between hackers. Yikes! I found an email for the targeted site and contacted them regarding the vulnerability. Hopefully, they will forward the email to someone who can take appropriate action. The good news here is that these attacks are very simple to prevent or avoid. The Open Web Application Security Project has a SQL Injection Prevention Cheat Sheet (https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet) , which outlined primary and additional defenses. The primary defenses that are used to fight include, Prepared Statements (Parameterized Queries) - Parameterized queries force developers to define all the SQL code, then pass in each parameter to the query, which allows the database to distinguish between code and data, regardless of what input is supplied. Stored Procedures - a stored procedure is defined and stored in the database itself, and then called from the Escaping all User Supplied Input - Each DBMS supports one or more character escaping schemes specific to application rather than something that a user is allowed to enter. certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities. Additional Defenses include Least Privilege or minimizing the privileges assigned to every database account, so that users have White List Input Validation - Input validation is used to detect unauthorized input before it is processed by enough permission to do their job, but no more. the application, thereby preventing the attack
Have you experienced an SQL Injection hack at your organization? How did your organization combat the attack? Let me know. Topics: Security, Data Management, Microsoft, Open Source, Oracle
2 of 9
SQL Injection Attack: What is it, and how to prevent it. | ZDNet
[i]
3 of 9
SQL Injection Attack: What is it, and how to prevent it. | ZDNet
Talkback
yoroto
14 July, 2012 07:05
:)
I am a single biker woman. My friend told me about___seekingbikers.com___she told me it is the best place for bikers to find Friendship, Love, and Romance! I have tried, it is fantastic, hundreds of thousands of hot biker men and biker babes are there. Come in and give it a shot, you will find your biker match to share the passion for motorbikes! :)
ChristinaSpears
14 July, 2012 14:59
droidfromsd
15 July, 2012 21:48
4 of 9
SQL Injection Attack: What is it, and how to prevent it. | ZDNet
interface, to which all the DBMS-specific back ends conform. That lets you write a single common set of DBMS-independent code. In short, use a language that saves you work, and you will write better code. Oh, and XKCD made fun of this in its "Bobby Tables" cartoon years ago.
ldo17
14 July, 2012 09:19
XKCD
I've got that one Bookmarked. :D
lehnerus2000
15 July, 2012 02:29
leonadams
20 July, 2012 13:52
Database security
Although most SQL-DBMSs provide comprehensive security facilities, it is surprising how many web applications still use a single login for all users. This is a fundamental security flaw. If a user uses SQL injection techniques they can see and manipulate all data in the database. If database security is used properly then a particular user can only do what they could do anyway through the application. I've even seen occasions where the single user used for web access was the system administrator - which means SQL injection could effectively drop the entire database. Many web developers reject using DBMS security, but they are neglecting a powerful tool. Of course, database security won't protect from a denial of service attack that, for example, issues a query doing a Cartesian product on every table in the database. However many DBMSs do have load limiting facilities for particular users that would help prevent this.
5 of 9
SQL Injection Attack: What is it, and how to prevent it. | ZDNet
The main message is DBMSs are sophisticated tools and considerable benefit accrues from using the in-built functionality rather than trying to build it yourself.
jorwell
14 July, 2012 12:25
What I use...
I have put in place: - parametrized queries - stored procedure - white listing of users' words e.g we simply refuse SQL words drop, delete, truncate, insert, update, etc ( I realise we are lucky we actually can do that) - the web user can only read 99pc of the tables and can update just a few through SP. I am lucky our website has so far resisted every attack. We have seen dozens despite being a small shop. But i am sure if hackers really wanted to they would find a way in... Our FTP was hacked twice for storing porn movies. So we have moved to white listing the FTP. Only the client ip can acces a given account. This is a constant battle and a direct cost to online businesses. I think more needs to be done by OS vendors, governments and ISPs to better track attackers and hackers.
Drakkhen
14 July, 2012 13:30
the_tyrant
14 July, 2012 21:56
the_tyrant
6 of 9
SQL Injection Attack: What is it, and how to prevent it. | ZDNet
Really?
It is just SQL
Duke E Love
15 July, 2012 03:17
TRUTH:
.... my people say that only iOS stuff can be harmed by this! ZuneResurection.blogspot.com
Ballmerfeld
14 July, 2012 23:30
There is no excuse
for anyone to fall prey to a SQL injection attack these days. Well, if you are using the right languages, and know what you are doing that is.
Zheldon
15 July, 2012 03:45
No Excuse
Thanks for your comment. Agreed. It is surprising how many high profile sites have been taken down by this type of attack, given it is so easy to prevent. Gery Menegaz
gery.menegaz
15 July, 2012 21:14
7 of 9
SQL Injection Attack: What is it, and how to prevent it. | ZDNet
Xamppitis
Can make anyone look like a web genius, yet truly dangerous in the wrong hands.
Tired Tech
17 July, 2012 00:54
beau parisi
15 July, 2012 17:24
I Don't Think So
The "make and model" of the database back-end has little to do with SQL injection. It's the front-end that allows SQL injection to occur.
scotton1
10 September, 2012 04:42
Organik Hayat
16 July, 2012 18:50
8 of 9
SQL Injection Attack: What is it, and how to prevent it. | ZDNet
leonadams
20 July, 2012 14:00
9 of 9