SQL INJECTION ATTACK
SQL injection is a type of code injection gimmick. It was considered as one of the top 10 web application vulnerabilities of 2007 and 2010. SQL injection is used by others to attack data-driven applications, in which sinister SQL statements are inserted into an entry field for execution. SQL injection must open up with a security vulnerability in an application’s software. SQL injection is well known as an attack vector for websites but also can be used to attack any type of SQL database. SQL injection attacks make attackers to fool the identity, distort with existing data, cause refusal issues such as voiding transactions or changing balances, allow the complete revelation of all data on the system, damage the data or make it otherwise unavailable, and become administrators of the database server.
According to the statistics we found, SQL injection attack was the most common attacks, it represented almost 1/3 of the total amount of attacks, as SQL injection is used to reach the sensitive information or run the OS commands for further penetration of the system.
Top 10 attacks on web applications
If the attacked companies were divided into government entities, financial services companies, IT companies, and educational institutions. We found that in half of the government attacks was to get access to the important data. This is why attacks were directed either against application users or at obtaining access to databases containing such information.
Top 5 attacks on government web applications
When targeting financial services companies, attackers’ main aim was generally to steal money. Most attacks tried to either get access to sensitive data or to get control over the server. In particular, the Path Traversal attack has the potential to lead to disclosure of such data as the server configuration, application source code, identifying information of OS users, and more. This data can then be used to further develop the attack. This attack is used rather frequently to assist in other, larger attacks, this is because this attack does not need much in the way of preparation.
Top 5 attacks on web applications of financial services companies
Attacks on IT companies are rather same, being dominated by SQL Injection and Cross-Site Scripting, which are the main attacks in sectors across the board. SQL Injection can, in addition to obtaining information, be used for other purposes such as defacing websites. Cross-Site Scripting can be used to infect user workstations with malware. Such incidents have a high reputation risk for IT companies, especially for those in the security field.
Top 5 attacks on web applications of IT companies
Attackers against educational institutions oftentimes are students themselves, whether trying to access data (most often, exams) or actively modify it (such as exam grades and scholarship lists). The most common attack in such cases is Cross-Site Request Forgery. With this technique, an attacker can create a special page that contains a request to a vulnerable application, the purpose of which is to perform actions with the authority of a legitimate user. However, the results in this category are vulnerable to statistical noise due to small sample size.
Top 5 attacks on web applications of educational institutions
To discuss about the impact of SQL injection attacks, we conclude that when an IT department found a huge spike in queries to its website and relevant error messages, they can correctly suspect it was the problem of an SQL injection attack. In such attack, an attacker sends deliberately malformed requests to a company’s website wish that the server will malfunction and either return non-public data in response to the request or grant the attacker deep, administrative access to the server. The main impact of the SQL injection attacks can be separated into different part. First will be in confidentiality, since SQL database generally contain the important data, loss of confidentiality is an often problem with SQL injection vulnerability. Second will be in authentication. If poor SQL commands are used for usernames and password checking, there would stand a chance for connecting to a system as another user with no previous username and password. Nevertheless, in authorization part, if the authorization information is held in a SQL database, it may be possible to change the data through the successful exploitation of SQL injection vulnerability. Lastly will be integrity, just as there stand a chance for others to read the sensitive data and may possible make changes or delete the information with SQL injection attack.