SQL INJECTION ATTACKS

A SQLI is a type of attack by which cybercriminals exploit software vulnerabilities in web

applications for the purpose of stealing, deleting, or modifying data, or gaining administrative
control over the systems running the affected applications.

How does a SQL injection work?

BREIF HISTORY

Developed in the early 70s, SQL (short for structured query language) is one of the oldest
programming languages still in use today for managing online databases. These databases
contain things like prices and inventory levels for online shopping sites. When a user needs to
access database information, SQL is used to access and present that data to the user. But these
databases can also contain more sensitive and valuable data like usernames and passwords, credit
card information, and social security numbers. This is where SQL injections come into play.

Put simply, a SQL injection is when criminal hackers enter malicious commands into web forms,
like the search field, login field, or URL, of an unsecure website to gain unauthorized access to
sensitive and valuable data.

Working out an example

Here's an example. Imagine going to your favorite online spare parts “auto pro” site. You're
shopping for brakes and you're looking at a different brands, all available with a click of your
mouse. The wonders of technology! Every brake you see exists in a database on some server
somewhere. When you find a brake you like and click on that sock, you're sending a request to
the brake database, and the shopping site responds with the information on the brakes you
clicked. Now imagine your favorite online shopping website is constructed in a slipshod manner,
rife with exploitable SQL vulnerabilities. A cybercriminal can manipulate database queries in
such a way that a request for information about a set of brakes returns the credit card number for
some unfortunate customer. By repeating this process over and over again, a cybercriminal can
plumb the depths of the database and steal sensitive information on every customer that's ever
shopped at your favorite online auto parts site—including you. Taking the thought experiment
even further, imagine you're the owner of this clothing site. You've got a huge data breach on
your hands.

One SQLI attack can net cybercriminals personal information, emails, logins, credit card
numbers, and social security numbers for millions of consumers. Cybercriminals can then
turnaround and sell this personal info on the gloomiest corners of the dark web, to be used for all
kinds of illegal purposes. Stolen emails can be used for phishing and malspam attacks. Malspam
attacks, in turn, can be used to infect victims with all kinds of
destructive malware like ransomware, adware, cryptojackers, and Trojans (e.g. Emotet), to name
a few. Stolen phone numbers for Android and iOS mobile devices can be targeted
with robocalls and text message spam.
Stolen logins from social networking sites can even be used to send message spam and steal even
more logins for additional sites. Malwarebytes Labs previously reported on hacked LinkedIn
accounts being used to spam other users with InMail messages containing bad URLs spoofed, or
faked, to look like a Google Docs login page by which cybercriminals could harvest Google
usernames and passwords.

How can I protect against SQL injections?

Luckily Auto pro cab do something about it. Here's some tips for protecting your web
application against SQL injection attacks.

Update your database management software. 

Your software is flawed as it comes from the manufacturer. This is a fact. There's no such thing
as bug-free software. Cybercriminals can take advantage of these software vulnerabilities, or
exploits, with a SQLI. You can protect yourself by just patching and updating your database
management software.

Enforce the principle of least privilege (PoLP). 

PoLP means each account only has enough access to do its job and nothing more. For example, a
web account that only needs read access to a given database shouldn't have the ability to write,
edit or change data in any way.

Use prepared statements or stored procedures. 

As opposed to dynamic SQL, prepared statements limit variables on incoming SQL commands.
In this way, cybercriminals can't piggyback malicious SQL injections onto legitimate SQL
statements. Stored procedures similarly limit what cybercriminals are able to do by storing SQL
statements on the database, which are executed from the web application by the user.

Hire competent, experienced developers. 

SQLI attacks often result from sloppy coding. Let your software developers know in advance
what you expect as far as security is concerned..

And if you just can't get enough SQL injection in your life, visit the milima for grey Amor a
web security application for all protections
THANKS