In any organization, a database plays a crucial role in the creation and management of data. But when it has to go online, as a back-end database for your website for instance, business owners don’t really know if they let their database vulnerable to cyber attack. Such a question is getting more sensitive now that SQL injection attacks are on the rise.

Then, it is worth checking that an automated SQL injection program cannot gain total control over your database and let anyone retrieving information that they are not supposed to. There are many ways to hack a database but one of the most popular is by far the “SQL Injection” (pronounce Sequel injection). It is also the most destructive.

What is SQL Injection?

SQL injection (SQLi) attacks are the most popular form of web application attacks used by hackers on the Internet. It has been known by the developer community since the 1990’s. However, many SQL injection problems potentially remain undetected due to the lack of proper testing methodology.

In short, SQL injection is used to gain unauthorized access to a database. The basic idea behind SQL injection is that an attacker manipulates data passed into a web application to modify the query that is run in the back-end database. It allows the attacker to change the behavior of the SQL statement that gets constructed by the web application to retrieve, insert, update or delete some parts or the full content of a database.

  • Is it legal?

Unless you’re given proper authorization by a website owner – as part of a formal security audit or “white hat” penetration testing – you cannot do SQL injections without breaking the law as it is considered as unauthorized access. Today, in most countries, public websites are covered by the equivalent of the existing US Computer Fraud and Abuse Act. This would cover pretty much all “hacking” attempts, including SQL injection attacks. In addition, hackers may be liable for civil damages as well as criminal prosecution.

  • Is it common?

SQL injection attack is one of the oldest, most prevalent, and most dangerous forms of cyber-attacks on the net today. Moreover, SQL injection attacks are on the rise now. Free and sophisticated automated SQL injection programs facilitate the task of hackers. It is easier to find database vulnerable to cyber attack now than ever before.

Not sure you are concerned?

To be successful, an SQL injection needs a vector and a target. A hacker needs a vulnerable user controllable input within your web application as a vector. This is where he will insert the malicious code that will query the database. The target can be any SQL based relational database in the back-end of a website. Since many websites are based on WordPress, Joomla or Drupal frameworks, there is a high probability that you run a database. Based on the terms and condition of your hosting company, there a good chance that, without noticing, you agreed to maintain your website and keep it clean. Unfortunately, these frameworks use third-party themes or plugins that sometimes introduce SQLi vulnerabilities on your website. The question of your responsibility may arise in case of serious problem involving the security of your website.

How do you detect an SQL injection?

When you can detect it, it’s already too late ! Some attackers prefer to stay low profile and maintain a regular access to a database without damaging anything. It is probably the most difficult to detect and problematic from the customer perspective. Today, most internet users have no way to know if the database they’re signing into has been compromised.

What about the website firewall?

If you find advertisement trying to make a point that their product can offer protection to a database vulnerable to cyber attack, it is simply a lie. The truth is firewalls and other security mechanisms are useless against SQLi attacks. A firewall doesn’t understand the details of high-level protocol as HTTP that runs the web. It is just like trying to catch a drug dealer with a metal detector. The concept of a website with a back-end database is that any visitor has access to the database. The website is just a way to display nicely the requested information that it will find in the database.

How can it affect your business?

The direct impact of an SQL injection attack on your business is quite simple to understand. If the database is unrecoverable, the loss can be very problematic. In term of reputation, you loose some of your credibility. And financially, you may have to pay important fines to the regulators. Some cases of SQL injection attacks try to take control of the server of your web hosting company. Then, the hacker will try to access databases of other websites hosted by the same server. This kind of situation would probably engage your responsibility at some degree.

What can be done?

Let’s get a FREE CONSULTATION right now! Just fill in the form and within 48h you’ll get an Ethical Hacker certified by the EC-Council making a quick review of your website.

A Certified Ethical Hacker is trained to look for weaknesses and vulnerabilities using the same knowledge and tools as malicious hacker but in a lawful and legitimate manner to assess the security posture of a website.

The International Council of E-Commerce Consultants (EC-Council), is the world’s largest cyber security technical certification body.