SQL Injection: the Most Widespread Vulnerability of the Last 10 Years

10 years ago the first research on SQL Injection was published. A decade later this vulnerability is still one of the most widespread: a danger for companies and networks.

What Is SQL Injection?

SQL Injection is the most exploited vulnerability in web applications that use relational databases. A hacker can send arbitrary SQL commands to the database, which are then executed by the server, exposing its data to risks we can easily imagine: unauthorized access, loss of all data, and so on.

A SQL Injection attack can occur when a web application uses data supplied by the user without adequate validation or encoding.

Attackers provide input data designed to deceive the SQL interpreter and execute commands that are not present in the application's original code. The interpreter cannot distinguish malicious code from good code, and executes both without problems.

If the attack succeeds, the malicious actor can create, read, update or modify data stored in the database. SQL Injection could allow access to sensitive information such as passwords, social security numbers, customer records and production data, credit cards or other financial data.

When Was SQL Injection Born?

The inventor of SQL Injection was probably Rain Forest Puppy, an IT security expert who first described the attack technique in an article in Phrack in 1998: NT Web Technology Vulnerabilities (note: the article is very technical).

SQL Injection-based attacks have breached many different IT systems of companies and organizations around the world. Here is what happened over 10 years:

• February 1998: Rain Forest Puppy releases the first documents on SQL Injection;
• March 2002: Fashion company Guess is breached and 200,000 credit cards are at risk;
• July 2005: the IT system of the University of Southern California has vulnerable applications;
• December 2006: hackers access 800,000 student records at UCLA (University of California, Los Angeles);
• June 2007: the Microsoft UK site is modified and deleted through SQL Injection;
• April 2008: 500,000 websites are infected with malware through SQL Injection vulnerabilities;
• Year 2008: the Heartland Payment System is breached. 130 million credit cards are stolen;
• August 2010: half a million websites are hit by automated SQL Injection;
• November 2010: the Royal Navy website is attacked;
• March 2011: the list of Expedia customer emails is stolen;
• March 2011: Oracle acquires MySQL, oracle.com is compromised through SQL Injection;
• April 2011: hundreds of thousands of websites are attacked in mass campaigns;
• April 2011: application firewall manufacturer Barracuda Network is breached;
• May 2011: Certification Authority Comodo, able to issue SSL certificates for any Internet site, is breached through one of its partners in Brazil;
• May 2011: six Sony sites are breached: Sony BGM Greece, Sony Music Japan, Sony Canada, Sony Pictures France, Sony Pictures Russia, Sony Music Portugal.
• June 2011: breached: PBS, the Canadian Conservative Party, the CNN website and video-game company Sega.

A malicious hacker has all the tools needed to exploit vulnerabilities in your web application with SQL Injection attacks. For this reason, applications must be developed securely and security checks must be performed on a certain schedule.

If you believe your system may be at risk, have your company's IT systems assessed by IT security professionals: EasyAudit will help you identify the vulnerabilities of your systems. All guaranteed by the EasyAudit Checked seal, a guarantee for your customers.