SQL Injection Attack Step by Step Method used by most hackers: Why SQLi still successful?
Well its hard to tell when SQL Injection has been started, but I can definitely say one thing that it became famous when the software world was caught up in Y2K. Software development shops did step up and perform heroics to rescue legacy systems from death by two-digit dating systems. They located the flaws in old code and either fixed them or found ways to work around the problems.
Now its still a BIG QUESTION that how this same IT industry of software developers failed to put a solution in place for the SQL Injection vulnerabilities. If they resolved the BIGGEST SOFTWARE BUG Y2K, then why still SQLi? WHY?
Or maybe it is not just the software industry to blame. Many software vulnerabilities have been fixed, patches and updates have been released, and secure configuration settings have been offered.
Are all the webmasters and site and database administrators out there paying attention?
When I think about what is really allowing SQL injection to remain so successful, four factors come to mind.
1. It is just so easy. Take a few minutes with Google searching for “guide to SQL injection” or “SQL injection how-to,” and you'll find a massive amount of detailed information on how such attacks work, along with lots and lots of examples. SQL injection becomes no more than a cut-and-paste job.
Best Example is: Use Google Dorks To Find Targets For SQL Injection. Google Dork queries that can help you find sites that might be vulnerable for SQL injection attacks. Once you find the target, use SQL Injection Strings to get the ADMIN access. To locate ADMIN PAGE of the site, you can use ADMIN CONTROL PAGE FINDER.
Change your search string to “SQL injection scanner,” and you'll quickly find your way to a myriad of free tools that you can download, then easily point at any website and pinpoint vulnerabilities. With the number of vulnerabilities that we believe are out there, there is almost no limit to the number of easy targets on the internet today.
2. Organizations don't expeditiously apply security patches to their applications or databases. By running old code, organizations expose themselves to attack by leaving known vulnerabilities in their internet-facing applications or the databases that support them. These known vulnerabilities are typically well documented on the internet, complete with exploit code. If an attacker finds a system running unpatched software, it is a trivial exercise to download malware and hack their way in. Misconfigurations can also leave a system exposed to attackers.
3. Software developers continue to create vulnerable applications, and IT teams put them into production. Lack of awareness and education around secure coding practices, combined with a perception that building secure software takes longer and costs more was how SQL injection came to be in the first place. This continues today.
Groups such as OWASP have published excellent educational materials on how to code securely and cost justify the investment in secure coding practices. The group has made tremendous headway, but everyone in the software world needs to pay attention for the problem to stop growing.
4. Web application firewalls (WAF) have been broadly deployed as a once-and-for-all solution to SQL injection. While a WAF can be an effective component of a layered defense strategy, it is by no means impenetrable. Most WAFs require a tremendous amount of expert configuration and tuning before they provide much effective protection. If a WAF hasn't been configured to know about a specific vulnerability, it is unlikely to be effective preventing an exploit.
On top of the exposures created by poorly configured WAFs are the evasion techniques attackers have developed to bypass WAFs entirely. Dozens of evasion techniques have been documented with more popping up regularly, and it all comes right up when you search the internet for “WAF evasion."
SQL injection can come in many forms, and can take the form of a sophisticated attack, but the vast majority of successful attacks don't need to go beyond the basics. We have the techniques and technologies at our disposal to put a stop to SQL injection. The IT world must get educated on the threat and become disciplined about ensuring that all components of an application stack are locked down and secure before deployment.
ALSO RECOMMEND YOU:
No comments:
Post a Comment