The Association of Digital Forensics, Security and Law (ADFSL)


One of the risks to a company operating a public-facing website with a Structure Query Language (SQL) database is an attacker exploiting the SQL injection vulnerability. An attacker can cause an SQL database to perform actions that the developer did not intend like revealing, modifying, or deleting sensitive data. This can cause a loss of confidentiality, integrity, and availability of information in a company’s database, and it can lead to severe costs of up to $196,000 per successful injection attack (NTT Group, 2014). This paper discusses the history of the SQL injection vulnerability, focusing on:

  • How an attacker can exploit the SQL injection vulnerability
  • When the SQL injection attack first appeared
  • How the attack has changed over the years
  • Current techniques to defend adequately against the attack

The SQL injection vulnerability has been known for over seventeen (17) years, and the countermeasures are relatively simple compared to countermeasures for other threats like malware and viruses. The focus on security-minded programming can help prevent a successful SQL injection attack and avoid loss of competitive edge, regulatory fines and loss of reputation among an organization’s customers.


Alghamdi, A., Ahmad, B., & Imran, M. (November, 2015). SQL injection attack, still an unaddressed issue with dynamic web applications. International Journal of Computer Science Engineering, 4(6).

Anthony, S. (2011, April 27). How the Playstation Network was hacked. Retrieved October 16, 2016, from Extreme Tech website: http://www.extremetech.com/gaming/8421 8-how-the-playstation-network-was-hacked

Cisco. (2016, February 15). Understanding SQL injection. Retrieved July 19, 2016, from Cisco website: http://www.cisco.com/c/en/us/about/secu rity-center/sql-injection.html#6

Cox, J. (2015, November 20). The history of SQL injection, the hack that will never go away. Retrieved July 17, 2016, from Motherboard website: http://motherboard.vice.com/read/thehistory- of-sql-injection-the-hack-that-willnever- go-away

Department of Justice. (2013, July 25). Five indicted in New Jersey for largest known data breach conspiracy. Retrieved October 18, 2016, from Department of Justice website: https://www.justice.gov/usaonj/ pr/five-indicted-new-jersey-largestknown- data-breach-conspiracy

Forristal, J. (2016). Jeff Forristal LinkedIn profile. Retrieved August 29, 2016, from LinkedIn website: https://www.linkedin.com/in/jeffforristal

Gates, B. (2002, January 15). Bill Gates: Trustworthy computing. Retrieved August 30, 2016, from Wired.com website: http://www.wired.com/2002/01/bill-gatestrustworthy- computing/

Halfond, W & Orso, A. (2005). AMNESIA: Analysis and monitoring for NEutralizing SQL-Injection attacks. Proceedings of the Automated Software Engineering Conference 2005, Long Beach, CA. Retrieved from http://wwwbcf. usc.edu/~halfond/papers/halfond05ase. pdf

Halfond, W., Viegas, J., & Orso, A. (2006). A classification of SQL injection attacks and countermeasures. Retrieved September 1, 2016, from Georgia Institute of Technology website: http://www.cc.gatech.edu/fac/Alex.Orso/p apers/halfond.viegas.orso.ISSSE06.pdf

Henderson, N. (2011, June 3). Hackers attack Sony Pictures with single SQL injection. Retrieved October 18, 2016, from The Whir website: http://www.thewhir.com/web-hostingnews/ hackers-attack-sony-pictures-withsingle- sql-injection

Henderson, N. (2011, May 24). Sony estimates $171M in losses from Playstation Network outage, more from earthquake. Retrieved October 18, 2016, from The Whir website: http://www.thewhir.com/web-hostingnews/ sony-estimates-171m-in-losses-fromplaystation- network-outage-more-fromearthquake

Hunag, Y., Huang, S., Lin, T., & Tsai, C. (2003, May). Web application security assessment by fault injection and behavior monitoring. Proceedings of the 12th International Conference on World Wide Web, Budapest, Hungary, 148-159. Retrieved from http://dl.acm.org/citation.cfm?doid=77515 2.775174

Kemalis, K., & Tzouramanis, T. (2008, March). SQL-IDS: a specification-based approach for SQL-injection detection. Proceedings of the 2008 ACM Symposium on Applied Computing, March16-20, 2008. Fortaleza, Brazil. Retrieved from http://dl.acm.org/citation.cfm?doid=13636 86.1364201

Kindy, D., & Pathan, A. (2013). A Detailed Survey on various aspects of SQL Injection in Web Applications; Vulnerabilities, Innovative Attacks and Remedies. Internation Journal of Communication Networks and Information Security , 80-92.

Kitten, T. (2013, July 26). Card fraud scheme: The breached victims. Retrieved October 18, 2016, from Bank Info Security website: http://www.bankinfosecurity.com/cardfraud- scheme-breached-victims-a-5941

Lewis, D. (2015, May). Heartland payment systems suffers data breach. Forbes.com. Retrieved from https://www.forbes.com/sites/davelewis/20 15/05/31/heartland-payment-systemssuffers- data-breach/#7f5798a2744a

Lewis, P. (1999, April 1). State of the art; Melissa and her cousins. Retrieved August 30, 2016, from The New York Times website: http://www.nytimes.com/1999/04/01/tech nology/state-of-the-art-melissa-and-hercousins. html

McDonald, S. (2002, April 8). SQL injection: Modes of attack, defence, and why it matters. Retrieved July 17, 2016, from SANS Institute: https://www.sans.org/readingroom/ whitepapers/securecode/sql-injectionmodes- attack-defence-matters-23

NIST. (2010, February). NIST Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems Revision 1. Retrieved August 29, 2016, from NIST website: http://csrc.nist.gov/publications/nistpubs/ 800-37-rev1/sp800-37-rev1-final.pdf

NTT Group. (2016). 2016 NTT Group Global Threat Intelligence Report. NTT Group Security.

NTT Group. (2014). NTT Group 2014 Global Threat Intelligence Report. NTT Innovation Institute.

OWASP. (2013). OWASP Top 10 - 2013: The ten most critical web application security risks. OWASP.

OWASP. (2016, April 10). SQL injection. Retrieved July 17, 2016, from OWASP website: https://www.owasp.org/index.php/SQL_in jection

OWASP. (2016, May 25). SQL injection prevention cheat sheet. Retrieved July 19, 2016, from OWASP website: https://www.owasp.org/index.php/SQL_I njection_Prevention_Cheat_Sheet

Poeter, D. (2011, September 8). How cybersecurity has changed since 9/11. Retrieved August 30, 2016, from PCMag website: http://www.pcmag.com/article2/0,2817,23 92642,00.asp

Poore, K. (2001, November 11). Nimda worm - Why is it different? Retrieved August 31, 2016, from SANS website: https://www.sans.org/readingroom/ whitepapers/malicious/nimda-wormdifferent- 98 rain.forest.puppy. (1998, December 25). NT web technology vulnerabilities. Phrack Magazine , 8 (54).

Shankdhar, P. (2015, April 28). Best free and open source SQL injection tools. Retrieved August 29, 2016, from Infosec Institute website: http://resources.infosecinstitute.com/bestfree- and-open-source-sql-injection-tools/

Shar, L., & Tan, H. (2013, March). Defeating SQL injection. Computer. 46(3). Retrieved from https://www.computer.org/csdl/mags/co/2 013/03/mco2013030069.pdf

Tham, A. (2001, August 4). What is Code Red worm? Retrieved August 31, 2016, from SANSwebsite: https://www.sans.org/readingroom/ whitepapers/malicious/code-redworm- 45

The Telegraph. (2009, March 18). Top 10 worst computer viruses. Retrieved August 31, 2016, from The Telegraph website: http://www.telegraph.co.uk/technology/50 12057/Top-10-worst-computer-viruses-ofall- time.html

Ward, M. (2010, May 4). A decade on from the ILoveYou bug. Retrieved August 30, 2016, from BBC website: http://www.bbc.com/news/10095957

Wisniewski, C. (2011, May 24). Sony Music Japan hacked through SQL injection flaw. Retrieved October 18, 2016, from Sophos website: https://nakedsecurity.sophos.com/2011/05 /24/sony-music-japan-hacked-through-sqlinjection- flaw/

Wood, P. (2011, February 10). 10th anniversary of the Anna Kournikova virus. Retrieved August 31, 2016, from Symantec website: http://www.symantec.com/connect/blogs/ 10th-anniversary-anna-kournikova-virus



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.