David Strom – How to Hack a Web Site and How to Secure It

Your web site might be the love of your life or business and it also could be the love of a hacker who feels he or she can get vital information from it via hacking it. David Strom writes – While there are many Web hacking exploits, none are as simple or as potentially destructive as what is known as SQL injection. This isn’t something new, but what is new is how frequent this attack happens, and how easy you can protect your network with relatively little effort and cost.
I did a scan of the existing literature and was amazed to find an article dating back several years on the subject. But nothing really takes you step-by-step and shows you how easy the exploit is. I was able to do it on some random site with a quick Google search and entering a couple of commands. All told, it took me a few seconds.
The problem is that Web developers tend to think that database queries are coming from a trusted source, namely the database server itself. But that isn’t always the case, and a hacker or even a casual browser can often take control over the Web server by entering commands that appear to be valid SQL commands in the right places. The trick is finding the right places.
There are two situations where the Web and databases intersect that are relevant for our discussion on SQL injection:
— Places that directly enter database parameters into the URL itself, or
— Fill-in forms on Web pages that will take this information and pass it along to the database server.
Think about this for a moment. There are probably dozens, if not hundreds of places across your various Web sites that fit these two situations. Can you test them all to make sure your developers did everything possible to lock things down?
Think of the Web browser as an extended keyboard that is operated across the Internet, but directly connected to your database server in your data center Indeed, that is a good picture to keep in mind, because by the time a SQL injection exploit is finished, it will seem as if the hacker is directly typing in commands to your servers.
In a white paper that I wrote for Breach Security, I show you exactly how easy this exploit is. You don’t need any specialized tools other than a Web browser, and you don’t need any specialized skills either.
It doesn’t take much time, and the payoffs could be huge: an intruder could easily obtain a copy of your most sensitive data in about the time it takes to read through this analysis.
The paper walks you through what is involved with a SQL injection exploit, using examples of both a Web site that I found at random as well as one that had previously been compromised with the hackers publicly describing their methods in a Russian post on the Net. I show you the consequences of doing nothing and leaving this front door wide open for anyone to walk into your data center. Finally, I talk about ways that you can prevent this from happening in the future, and what choices you have to protect your Web sites and corporate networks.
The paper can be downloaded here