Are You Vulnerable to a SQL Injection Attack?

Intro to SQL Injection Attacks

Using a SQL (Structured Query Language) or MYSQL database with your website can potentially leave you vulnerable to the threat of “injection attacks”, most frequently known as SQL Injection. This type of attack consists of input of a SQL query into the application from users (clients) and could also include SQL queries injected by bots (software programs that act like users).

Attacks such as these can be launched to steal identity; cancel transactions; alter financial information; and corrupt, disclose or even destroy data. These types of attacks frequently allow the attackers to become the administrators of the database.

Recommendations for Immediate Protection

SQL users may be familiar with brute force password attacks. The same security measures for your SA username (a common username that is setup in a SQL server) that one would use to prevent a brute force password attack are also recommended to prevent SQL injection. By taking the following steps, you can immediately decrease your vulnerability to these types of attacks.

1. Change your SA user password to something very complex, more than 20 or 30 characters.
2. Add in a lot of special characters, numbers, and even extended ASCII characters like 'ñ'. Don't use this account for anything else.
3. Create new logins for sites and services, etc.
4. Further, leave the option to enforce the password policy in place so that the account will continue to get locked out if someone is trying to get into it.

Steps to Further Protect Your Environment

It is recommended to set your SQL Server so that it does not accept remote connections. As an alternative, you can also change the port that SQL Server uses for TCP connections from the default of 1433 to some other number, like 10020. Any number not currently in use or that is otherwise reserved is a good candidate.

Once you’ve changed your port number, as an added layer of protection, you can set up your Firewall to block any unused ports. If possible, only allow access through the firewall on the SQL Server port for your client IP addresses (work or home).

Using these methods, you can reduce the chances of being vulnerable to a SQL Injection attack on your server, specifically by limiting the chances that such an attack will succeed.

Also, securing your code against SQL Injection attacks includes preventing the following additional vulnerabilities:

• Incorrectly filtered escape characters
• Incorrect type handling
• Magic String
• Vulnerabilities inside the database server
• Blind SQL Injection
• Conditional Responses
• Conditional Errors
• Time Delays

Additional Tools Available For Protection

Ideally, most common prevention methods deal with ensuring that your code is secure and that your database security measures are properly enforced, and that SQL Injection traffic itself is blocked before hitting your web server.

However, usage of Unified Threat Management, or a UTM device, is one of the most effective measures available to block injection attacks. Even if your code and all other security measures are in place, the sheer amount of traffic coming into a web server when an injection attack is launched can be high enough to impair the functioning of your website or services and can even be strong enough to disable your website. A UTM device would filter the SQL Injection traffic before it ever reaches your server.

That is why having SQL injection attack filtration at the firewall level is highly recommended, even if you have never been attacked before.

If you are interested in discussing how you can better protect your data assets and hosting solution, please contact our Sales Specialists today at , 800-446-7627, or Live Chat.