SQL Injection Attacks
Abstract The MJD electronics board has inquired into database security and would like to have more information on what would be the best methods for the company to implement. As the chief security and compliance officer, I have investigated several different threats and in the following I will explain these threats and what can be done to prevent them.
SQL Injection Attacks SQL injection is an attack on databases through the use of websites. This is done through the insertion of malicious code that is then passed into an instance of SQL Server for execution. The SQL injection follows the path of user-input in order to access the system through the loopholes that have been inadvertently left by developers in the input validation areas of the database. SQL injection takes advantage of the lack of checks or validations and passes the commands to the database. A SQL injection attack is a very serious threat because it allows the attacker to have access to an applications data. The attacker is then able to access the private data from the database and manipulate or even delete the entire database, causing the application to stop working and a loss of trust and revenue from our customers. The best way for a company to protect themselves from this type of attack is to implement validation checks in their databases. When a user inserts information, it should not run without having some sort of prior validation check in place to prevent malicious code from being entered (Ganapathy, 2012). The validation needs to check all SQL keywords such as SELECT or WHERE. Also, there needs to be database permissions that have been established for all users.
XPath Injection XPath is a type of attack that navigates through the structure of an XML document. This threat was designed in order to have a tool to exploit different parts of an XML document, while also providing functionality to manipulate data strings. XPath uses non-XML syntax in order to insert itself within URI’s
SQL Injection Attacks SQL injection is an attack on databases through the use of websites. This is done through the insertion of malicious code that is then passed into an instance of SQL Server for execution. The SQL injection follows the path of user-input in order to access the system through the loopholes that have been inadvertently left by developers in the input validation areas of the database. SQL injection takes advantage of the lack of checks or validations and passes the commands to the database. A SQL injection attack is a very serious threat because it allows the attacker to have access to an applications data. The attacker is then able to access the private data from the database and manipulate or even delete the entire database, causing the application to stop working and a loss of trust and revenue from our customers. The best way for a company to protect themselves from this type of attack is to implement validation checks in their databases. When a user inserts information, it should not run without having some sort of prior validation check in place to prevent malicious code from being entered (Ganapathy, 2012). The validation needs to check all SQL keywords such as SELECT or WHERE. Also, there needs to be database permissions that have been established for all users.
XPath Injection XPath is a type of attack that navigates through the structure of an XML document. This threat was designed in order to have a tool to exploit different parts of an XML document, while also providing functionality to manipulate data strings. XPath uses non-XML syntax in order to insert itself within URI’s
References: Ganapathy, L. (2012). How to Prevent SQL Injection Attack. Retrieved from, http://www.thegeekstuff.com/2012/02/sql-injection-attacks/. Dwibedi, R. (2005). XPath Injection in XML Databases. Retrieved from, http://palizine.plynt.com/issues/2005Jul/xpath-injection/. dbGreenSQL (n.d.). MySQL Security Best Practices (Hardening MySQL Tips). Retrieved from, http://www.greensql.com/articles/mysql-security-best-practices.