SQL injection and Magecart

SQL injection and Magecart

I acutely remember when the first news about SQL injection attacks was published. I was enthralled with the hacking world, spending many nights searching Internet Relay Chat (IRC) channels, swapping zero-day exploits and often speaking in l33t speak to people across the globe. Although 1998 saw the first real public discussions about SQL injection, it was being discussed in private forums for some time before.

At the time, database-driven websites were just becoming popular and one of the things that made SQL injection attacks interesting was that they could be used to dump entire caches of data. Website attacks were nothing new, but save a few exceptions, most were limited to being able to deface a few pages, or alter server-side code. With SQL injection, however, a hacker could now obtain an entire database’s contents, including tables that contained sensitive information such as user credentials. When you consider  that techniques such as password hashing had not yet become common practice, it certainly made for an interesting time.

On-demand webinar7 common web application security attacks and what you can do to prevent themWatch now

How SQL injection attacks work

SQL injection attacks occur when a website developer doesn’t sanitize user-supplied data and subsequently, an attacker takes advantage of this mistake to take some form of malicious action. Consider something as simple as a product lookup within a fashion retailer’s website —  a user will enter what they are searching for and then, this input is used to perform a lookup within a database.

In this scenario, the logic is pretty straight forward — an HTML form is used to present the user with a product search box, the user types what they are looking for and sends this back to the web server,which uses this data as part of its SQL query.  This query should look something like this:

SELECT * FROM products WHERE NAME LIKE ‘pink dress’;

Under normal circumstances,  the website code uses the value passed back from the visitor’s browser (e.g.pink dress) to construct its query. But not every visitor has good intentions.

The main security challenge posed by SQL is that SQL queries can be chained together — meaning that one command can follow another in the same request. If a query is completed without an error and another command is present after the semi-colon, SQL will process both commands. This becomes problematic if an attacker formats a search query so it contains additional SQL language, for example:

pink dress’; SELECT * from login_information_table; SELECT ‘

In this scenario, if the website developer doesn’t check for valid, or more specifically, invalid input from the user, and simply uses the input to create the query, the SQL would now look like this:

SELECT * FROM products WHERE NAME LIKE ‘pink dress’; SELECT * from login_information_table; SELECT ‘’;

Now, instead of the website simply returning database rows which contain pink dresses, it would also return everything from the login_information_table database table, too. With very little SQL knowledge, an attacker is able to construct a query which will, in essence, dump an entire database containing all kinds of sensitive information.

How to protect against SQL injection attacks

With all of the available documentation and information sources today, it is amazing that SQL attacks are still as prevalent as they are. And despite web languages, such as PHP, having SQL-safe functions — many developers still use their non-safe equivalents.

Protection from SQL injection attacks really begins at the code level and originates in good programming practices, good QA, and the correct usage of API calls. Developers should always check and sanitize user input, taking an approach of treating everything as dangerous unless explicitly cleared in the code.

Code checking on its own is not sufficient, as it is often impossible to check all third-party libraries and components in addition to the core application code. Often times, developers will include functionality created by outside sources, which can contain thousands of lines of code. These inclusions can also introduce vulnerabilities such as SQL injection, so other protections must be put into place to mitigate issues in the event of an exploit being discovered.

Organizations should look to implement technologies like web application firewalls within their application stacks, which examine web traffic to detect instances where SQL queries are contained within user-submitted information. WAF solutions are especially effective today at preventing SQL injection attacks.

The truth about formjackingRelated Blog

Why SQL injection is connected with Magecart

With their ability to allow arbitrary reading and writing of data used within a web application, SQL injection attacks can be used to inject Magecart malware into websites. In May, security research firm Sanguine Security published an article on a Magecart attack against Magento 2, a popular eCommerce web component. The document highlighted how part of the attack leveraged a SQL injection attack to steal credentials to enable hackers to get authenticated to an administrative console.

The authors documented how the attack was able to dump the contents of the admin_user database table which contained a list of hashed credentials. These credentials were then cracked and used to log into the Magento dashboard to add the Magecart malware to the website.

Given the basis of this attack was a SQL injection, this Magecart attack could have easily been prevented had adequate protection, such as a WAF, been implemented.

Instart helps organizations implement layered security

It is essential to implement security with a defense in depth approach. No single area of protection is enough to offer comprehensive coverage. While good coding practices go a long way towards protecting against SQL injection, it's still often difficult to control third-party libraries and the holes which they can introduce into a web application.

SQL injection attacks are avoidable, and even when bugs have been missed in code, there are technologies that will provide protection from them. Instart security services include a cloud-based, highly scalable web application firewall (WAF) that offers protection protection against SQL injection, cross-site-scripting, and other common OWASP Top 10 attacks.

When implemented as part of a layered security approach, Instart enables organizations to comprehensively protect their web assets from a modern attack landscape.

Learn more about how Instart security solutions helpRequest a demo