Get a Marketing Assessment

3 Tips to Help Prevent SQL Injections on Your Website

19 April 2017 / by De'Von Carter

 Raleigh website security

Before we can explain the specifics of a SQL injection attack, It is important that you understand a basic two tier web application architecture. As stated in the name, there are two parts working together to make your website a reality.  The first tier is the web server.  The web server can be considered the frontend, or the server that the end users or customers connect to.  This is where the pretty pictures and content are hosted and displayed.  So, when you go to your favorite website and the page that is presented to you in your web browser (Internet Explorer, Chrome, Firefox, etc…), that is the web server.  The second tier is actually holding the really important data on the website.  

Website Security Video with CarTek Consulting - How to Prevent SSL Injections

For example, when you go to amazon, the first tier is what you see on the amazon page, but the second tier is holding all of your personally identifiable information (PII), pricing, account information, etc.. and the webserver is pulling that information from the second tier so that it is presented to you as you browse for your next purchase and go to check once you made your production selection.  That second tier is called a database.  It holds all of the real data that is most important to you.  There are many different types of databases, but in this instance, we are focusing on the Structured Query Language (SQL) Database.

Raleigh Website Security Scan

Now that we have a better understanding of a two tier web application architecture, let's talk about the actual SQL injection attack.  The way these attacks work is fairly simple, but they can wreak havoc for business and website owners.  If an attacker wanted to execute a sql injection attack, he/she would go to a page where there is a section that allows for user input.  A great example of this is a “contact us” page because there are usually multiple fields that need to be filled out by the end user, customer or in this case the attacker.  The attacker would simply type some very specific characters into the fields and those characters would form actual SQL commands that would tell the second tier or database to perform an action.  The actions could be to add a user, delete a user, dump the contents of the database, or even delete the entire database.  Any of these actions would be very bad for the business/website owner.  

SQL Graphic - Website SecurityDiagram courtesy of Veracode

 

Now that you see what could happen.  Let's turn our focus to some preventative actions that you can take to help protect your business from this type of attack.

  1. Use an Application Protocol Interface (API) that avoids the use of interpreter tools or have a tool that can provide a parameterized input option.
    • Definition of Interpreter -  this is a tool that will see executable input that the attacker typed into the contact us page fields and it will perform the action stated in that input.   This can be bad.
  2. Your website should be developed in a way where special characters can be ignored or escaped.  This will ensure that when an executable command is put into a field by an attacker, the special characters that are required for the commands to execute will be ignored, thus prevent the command from being run on the database.
  3. Use a “white list” of user inputs.  This means that you implement pre-defined user inputs that could be in the form of a dropdown menu.  This will prevent an attacker from having the ability to type in untrusted input.

There are many ways websites are being hacked nowdays.  As you can tell from this list, you will need to work with your website developer to implement these preventative measures.  If they are a good web developer, they should be familiar with these techniques.  If they are not familiar with these techniques, then reach our team of website security experts.  

 Website Security Scan

 

Topics: web security

De'Von Carter

Written by De'Von Carter

De’Von Carter is a sought after security consultant that holds the designation of Certified Information System Security Professional (CISSP) and Cisco Certified Network Professional (CCNP-R/S). He has more than a decade of experience developing strategic visions for network and security solutions. De’Von is a skilled wireless network penetration tester and holds the Offensive Security Wireless Professional (OSWP) certification. His experience includes enterprise network design, implementation of enterprise wireless solutions and network access control (NAC). De’Von has consulted for fortune 500 companies on the implementation of various information security solutions. He has experience leading teams dedicated to remediation efforts required to meet PCI 2.0/3.0 standards. Also, he has developed cyber security strategies that have set the roadmap for future security technology implementations. As a Business Owner and Solutions Architect, he regularly conducts ROI analysis, technology research, and high level design development. His research and recommendations are used by senior and executive level management in large financial institutions to guide strategic, budgetary, and prioritization decisions.

Subscribe to Email Updates