SQL injection is ill. How can security experts help?

SQL injection is ill. How can security experts help?
SQL Injection Attack Status

SQL injection attacks are a very old attack method. Because many applications have SQL Injection Vulnerabilities and SQL injection methods and methods are varied, although large enterprises generally spend huge sums of money to purchase a variety of security protection systems, the news about the loss caused by SQL injection attacks is still Endless:

SQL Injection (involving 1.56 million passengers, 2.68 million air tickets, and more than eight thousand employees) on a Hong Kong Airlines site. One of the SQL Injection Vulnerabilities exists in the Sinopec che e APP (which can span 9 databases) SQL Injection at Haier's sunsunshun mall can cause 3 million of its members to leak information. The Handan city MIIT vulnerability threatens a large amount of personal information, amounts, and other data, million user data leaks China Telecom wing payment system vulnerabilities leak 4 million user information, payment transaction details (supermarket shopping/gas station fuel) and recharge data

From these examples, we can see that SQL injection is the focus and difficulty of application security protection, why is so old attack methods still causing so much damage when today's security software is so rich? I think there are the following points:

Large-scale SQL Injection Vulnerabilities exist: Today's systems are getting increasingly complex, the pace of release is getting faster and faster, and there are a lot of code missing. Many companies do not pay enough attention to security, and launching with illness is very common.

Relational databases are currently the most popular storage methods. Most Valuable information is stored in databases. This is too tempting for hackers.

The attack methods are not hard to find. The network has a large number of SQL injection attacks. Hackers can easily find attack methods.

Principles of SQL Injection

SQL Injection: inserts SQL commands into the query strings for Web form submission or domain name or page request input, and finally deceives the server to execute malicious SQL commands.

Specifically, it uses existing applications to inject (malicious) SQL commands into the background database engine for execution. It can input (malicious) SQL commands in Web forms) SQL statements obtain the database information of a website with security vulnerabilities, instead of executing SQL statements according to the designer's intent.

First, let's know when SQL injection may occur:

Suppose we enter URL: www.sample.com in the browser, because it only requires a simple request to the page without a dynamic request to the database, so it does not have SQL injection. When we enter www.sample.com? When testid = 23, we pass the variable testid in the URL and provide a value of 23, because it is a request for dynamic query of the database (where? Testid = 23 indicates the database query variable), so we can embed malicious SQL statements in the URL.

The specific examples and detailed principles will not be described here. If you are interested, you can go to Google or Baidu for search. There will be a lot of examples and attack methods above.

Common protection methods for SQL Injection

The main protection methods are as follows:

Use Prepared Statements (parameter query) to replace Statements-this requires all database developers to separate code and data when developing SQL query Statements. First, define the structure of the query statement, the input parameters are not executed as SQL commands, which can basically avoid SQL injection attacks.

Use stored procedures to operate databases-all stored procedures are stored in the database, and applications call stored procedures to query data.

Escape all special characters entered by the user-Never trust the user's input. To verify the user's input, you can use a regular expression or limit the length, converts single quotes and double. These can alleviate SQL injection to some extent.

There are also some auxiliary methods:

Connect to a database with the lowest permissions, and use separate permissions for each application to connect to a limited database. Do not store confidential information in plain text, encrypt or hash passwords and sensitive information. The application exception information should be given as few prompts as possible. It is best to use custom error information to wrap the original error information and store the exception information in an independent table. RASP fundamentally solves SQL injection attacks

The above describes some very useful SQL protection methods, but there is a common drawback-requires a lot of effort to develop code specifications, so that every programmer can write code according to this specification. However, today's programs are very complex, with millions of lines of code, which requires a lot of programmers to work together. It is completely impossible for every programmer to write code that fully complies with the security specifications. Some companies use third-party code scanning tools to perform static and dynamic scanning of code, and try to discover and fix all SQL injection vulnerabilities, which is not ideal in practice, the following constraints make this idea difficult:

The amount of code is huge. It takes a lot of effort and time to completely fix these vulnerabilities, which is basically impossible in most companies. Scan tool vulnerability updates are lagging behind, and many vulnerabilities cannot be updated in time. Even if it is completely repaired, new vulnerabilities will emerge after it is launched. Generally, a project uses a large number of third-party APIs and frameworks, and the vulnerabilities of these external programs cannot be modified, even if the provider promises to modify them, it takes a long time.

Currently, there are many security products, including traditional firewalls and WAF (Web firewalls). These security products provide protection based on the results of data flow scanning and do not understand the context of the application, therefore, we cannot precisely identify attack behaviors, let alone effective protection. In addition, cloud computing is becoming increasingly popular, and traditional network topologies with clear boundaries are becoming fewer and fewer, therefore, these products do not work well for application security attacks such as SQL injection.

So what are the suggestions of security experts? They recommended RASP, which is a very popular application security solution recently. It protects itself when applications are running, it combines real-time code vulnerability scanning and Web firewall's ability to intercept security attacks in real time. Like a vaccine, it injects Security Protection Code into applications, without the need for users to modify any code, you only need to modify the jvm startup script to combine the script with the application program. It runs together when the application is running and has the context of the application, you can perform targeted security monitoring and protection based on specific user behaviors, which can precisely identify and prevent security attacks, and minimize the impact on performance and user experience.

RASP is perfect for SQL Injection Protection. It is like a large virtual patch that fixes most known SQL injection vulnerabilities to ensure that most of them are protected. In this way, most attacks will be ineffective. Currently, only OneRASP is known in China to provide such protection capabilities.

OneRASP will establish a real-time vulnerability update system to update the latest vulnerabilities in a timely manner. without affecting the user's system, ensure that the user can defend against zero-day attacks in a timely and effective manner.

OneRASP can defend against unpredictable SQL injection methods. Common SQL Injection protection methods often adopt general methods, and the implementation methods of each database are very different. These general methods will inevitably be omitted. Any omission in security is fatal. Hackers can use any opportunity to obtain confidential information. OneRASP provides complete SQL Injection Protection. It protects code embedded into SQL injection attacks. Statement is the implementation class of JDBC manufacturers. in the class, each protection action is written on the basis of a complete understanding of the implementation of the database SQL language. Considering the possibility of each type of SQL injection attack, the full protection of SQL injection is achieved from the root.

OneRASP is the latest RASP (runtime application self-protection system) Application protection solution launched by OneAPM, a leader in application performance management. This is the first RASP security product in China. Its stability, accuracy, and ease of use have little impact on Application Performance and usage, and many developers are deeply impressed. However, because it is a new product, it still takes time to test. If you are interested, you can visit the official website of OneASP.