The Association of Digital Forensics, Security and Law (ADFSL)
One of the risks to a company operating a public-facing website with a Structure Query Language (SQL) database is an attacker exploiting the SQL injection vulnerability. An attacker can cause an SQL database to perform actions that the developer did not intend like revealing, modifying, or deleting sensitive data. This can cause a loss of confidentiality, integrity, and availability of information in a company’s database, and it can lead to severe costs of up to $196,000 per successful injection attack (NTT Group, 2014). This paper discusses the history of the SQL injection vulnerability, focusing on:
- How an attacker can exploit the SQL injection vulnerability
- When the SQL injection attack first appeared
- How the attack has changed over the years
- Current techniques to defend adequately against the attack
The SQL injection vulnerability has been known for over seventeen (17) years, and the countermeasures are relatively simple compared to countermeasures for other threats like malware and viruses. The focus on security-minded programming can help prevent a successful SQL injection attack and avoid loss of competitive edge, regulatory fines and loss of reputation among an organization’s customers.
Alghamdi, A., Ahmad, B., & Imran, M. (November, 2015). SQL injection attack, still an unaddressed issue with dynamic web applications. International Journal of Computer Science Engineering, 4(6).
Anthony, S. (2011, April 27). How the Playstation Network was hacked. Retrieved October 16, 2016, from Extreme Tech website: http://www.extremetech.com/gaming/8421 8-how-the-playstation-network-was-hacked
Cisco. (2016, February 15). Understanding SQL injection. Retrieved July 19, 2016, from Cisco website: http://www.cisco.com/c/en/us/about/secu rity-center/sql-injection.html#6
Cox, J. (2015, November 20). The history of SQL injection, the hack that will never go away. Retrieved July 17, 2016, from Motherboard website: http://motherboard.vice.com/read/thehistory- of-sql-injection-the-hack-that-willnever- go-away
Department of Justice. (2013, July 25). Five indicted in New Jersey for largest known data breach conspiracy. Retrieved October 18, 2016, from Department of Justice website: https://www.justice.gov/usaonj/ pr/five-indicted-new-jersey-largestknown- data-breach-conspiracy
Forristal, J. (2016). Jeff Forristal LinkedIn profile. Retrieved August 29, 2016, from LinkedIn website: https://www.linkedin.com/in/jeffforristal
Gates, B. (2002, January 15). Bill Gates: Trustworthy computing. Retrieved August 30, 2016, from Wired.com website: http://www.wired.com/2002/01/bill-gatestrustworthy- computing/
Halfond, W & Orso, A. (2005). AMNESIA: Analysis and monitoring for NEutralizing SQL-Injection attacks. Proceedings of the Automated Software Engineering Conference 2005, Long Beach, CA. Retrieved from http://wwwbcf. usc.edu/~halfond/papers/halfond05ase. pdf
Halfond, W., Viegas, J., & Orso, A. (2006). A classification of SQL injection attacks and countermeasures. Retrieved September 1, 2016, from Georgia Institute of Technology website: http://www.cc.gatech.edu/fac/Alex.Orso/p apers/halfond.viegas.orso.ISSSE06.pdf
Henderson, N. (2011, June 3). Hackers attack Sony Pictures with single SQL injection. Retrieved October 18, 2016, from The Whir website: http://www.thewhir.com/web-hostingnews/ hackers-attack-sony-pictures-withsingle- sql-injection
Henderson, N. (2011, May 24). Sony estimates $171M in losses from Playstation Network outage, more from earthquake. Retrieved October 18, 2016, from The Whir website: http://www.thewhir.com/web-hostingnews/ sony-estimates-171m-in-losses-fromplaystation- network-outage-more-fromearthquake
Hunag, Y., Huang, S., Lin, T., & Tsai, C. (2003, May). Web application security assessment by fault injection and behavior monitoring. Proceedings of the 12th International Conference on World Wide Web, Budapest, Hungary, 148-159. Retrieved from http://dl.acm.org/citation.cfm?doid=77515 2.775174
Kemalis, K., & Tzouramanis, T. (2008, March). SQL-IDS: a specification-based approach for SQL-injection detection. Proceedings of the 2008 ACM Symposium on Applied Computing, March16-20, 2008. Fortaleza, Brazil. Retrieved from http://dl.acm.org/citation.cfm?doid=13636 86.1364201
Kindy, D., & Pathan, A. (2013). A Detailed Survey on various aspects of SQL Injection in Web Applications; Vulnerabilities, Innovative Attacks and Remedies. Internation Journal of Communication Networks and Information Security , 80-92.
Kitten, T. (2013, July 26). Card fraud scheme: The breached victims. Retrieved October 18, 2016, from Bank Info Security website: http://www.bankinfosecurity.com/cardfraud- scheme-breached-victims-a-5941
Lewis, D. (2015, May). Heartland payment systems suffers data breach. Forbes.com. Retrieved from https://www.forbes.com/sites/davelewis/20 15/05/31/heartland-payment-systemssuffers- data-breach/#7f5798a2744a
Lewis, P. (1999, April 1). State of the art; Melissa and her cousins. Retrieved August 30, 2016, from The New York Times website: http://www.nytimes.com/1999/04/01/tech nology/state-of-the-art-melissa-and-hercousins. html
McDonald, S. (2002, April 8). SQL injection: Modes of attack, defence, and why it matters. Retrieved July 17, 2016, from SANS Institute: https://www.sans.org/readingroom/ whitepapers/securecode/sql-injectionmodes- attack-defence-matters-23
NIST. (2010, February). NIST Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems Revision 1. Retrieved August 29, 2016, from NIST website: http://csrc.nist.gov/publications/nistpubs/ 800-37-rev1/sp800-37-rev1-final.pdf
NTT Group. (2016). 2016 NTT Group Global Threat Intelligence Report. NTT Group Security.
NTT Group. (2014). NTT Group 2014 Global Threat Intelligence Report. NTT Innovation Institute.
OWASP. (2013). OWASP Top 10 - 2013: The ten most critical web application security risks. OWASP.
OWASP. (2016, April 10). SQL injection. Retrieved July 17, 2016, from OWASP website: https://www.owasp.org/index.php/SQL_in jection
OWASP. (2016, May 25). SQL injection prevention cheat sheet. Retrieved July 19, 2016, from OWASP website: https://www.owasp.org/index.php/SQL_I njection_Prevention_Cheat_Sheet
Poeter, D. (2011, September 8). How cybersecurity has changed since 9/11. Retrieved August 30, 2016, from PCMag website: http://www.pcmag.com/article2/0,2817,23 92642,00.asp
Poore, K. (2001, November 11). Nimda worm - Why is it different? Retrieved August 31, 2016, from SANS website: https://www.sans.org/readingroom/ whitepapers/malicious/nimda-wormdifferent- 98 rain.forest.puppy. (1998, December 25). NT web technology vulnerabilities. Phrack Magazine , 8 (54).
Shankdhar, P. (2015, April 28). Best free and open source SQL injection tools. Retrieved August 29, 2016, from Infosec Institute website: http://resources.infosecinstitute.com/bestfree- and-open-source-sql-injection-tools/
Shar, L., & Tan, H. (2013, March). Defeating SQL injection. Computer. 46(3). Retrieved from https://www.computer.org/csdl/mags/co/2 013/03/mco2013030069.pdf
Tham, A. (2001, August 4). What is Code Red worm? Retrieved August 31, 2016, from SANSwebsite: https://www.sans.org/readingroom/ whitepapers/malicious/code-redworm- 45
The Telegraph. (2009, March 18). Top 10 worst computer viruses. Retrieved August 31, 2016, from The Telegraph website: http://www.telegraph.co.uk/technology/50 12057/Top-10-worst-computer-viruses-ofall- time.html
Ward, M. (2010, May 4). A decade on from the ILoveYou bug. Retrieved August 30, 2016, from BBC website: http://www.bbc.com/news/10095957
Wisniewski, C. (2011, May 24). Sony Music Japan hacked through SQL injection flaw. Retrieved October 18, 2016, from Sophos website: https://nakedsecurity.sophos.com/2011/05 /24/sony-music-japan-hacked-through-sqlinjection- flaw/
Wood, P. (2011, February 10). 10th anniversary of the Anna Kournikova virus. Retrieved August 31, 2016, from Symantec website: http://www.symantec.com/connect/blogs/ 10th-anniversary-anna-kournikova-virus
Horner, Matthew and Hyslip, Thomas
"SQL Injection: The Longest Running Sequel in Programming History,"
Journal of Digital Forensics, Security and Law: Vol. 12
, Article 10.
Available at: http://commons.erau.edu/jdfsl/vol12/iss2/10