Page 225 -
P. 225

Security Guide






                        theft by SQl injection








                    **Warning** You are about to learn a technique for   How Does SQL Injection Work?
                    compromising an information system called SQL injection. Do   SQL injection, as it sounds, is a  way of  inserting  your
                    not try it on existing systems. SQL injection attacks leave log   own  SQL  code  into  someone  else’s  information  system.
                    entries with your IP address attached. Attempting SQL in-  To   understand  this,  consider what happens when you
                    jection on a system without permission is illegal. You can be     normally log in to a Web site. You enter your username
                    identified, tracked, and charged. Felony hacking convictions   (JohnDoe001) and a  password (password1234) and
                    are not resume builders.                            then press the Enter key.
                       SQL injection is a  popular  way  to steal data  because
                    it can be done from anywhere in the world. You don’t even
                    need to physically enter the target country. You need some   Username:  JohnDoe001
                    smart people with time to invest and a couple modest com-    Password:  password1234
                    puters. From a criminal’s  point of view it’s a low-risk and
                     high- reward proposition.
                       SQL injection is a criminal attack on
                    an information  system to illegally extract
                    data from a database. It can add or delete
                    data, drop tables and their data, and even
                    shut down an information system. And,
                                                                         SQL
                    because it can be done from anywhere in
                    the world, criminals can rob from coun-
                    tries that  don’t  extradite  criminals,  such
                    as Russia, China, North Korea, and others.
                       Criminals  have  caught  on to  theft-
                                        ®
                    by-SQL-injection. Imperva , an enterprise
                    data security firm, listed the following key
                    findings in its 2013 Imperva Web Applica-
                                  4
                    tion Attack Report:
                    1.  Retailers suffer two times as many SQL
                      injection attacks as other industries.
                    2.  Most Web applications receive four
                      or more Web attack campaigns  per
                      month, and others are constantly
                      under attack (176 out of 180 days).
                    3.  One Web site received 94,057 SQL
                      injection attack requests in one day.
                    Let those numbers sink in: Your corpo-
                    rate Web site is likely being attacked on
                    a regular basis.
                                                                                              Source: Federico Caputo/iStock/Thinkstock


                224
   220   221   222   223   224   225   226   227   228   229   230