As seen from the previous articles, SQL injection has the ability to attack a web server database, compromise critical information, and expose the server and the database to a variety of malicious exploits; however, there are measures that can be applied to mitigate SQL injection attacks.
Use of these practices does not guarantee that SQL injection can be completely eliminated, but they will make it more difficult for hackers to conduct these attacks. The protective actions are summarized as follows:
- Allow only known good input.
- Append and prefix quotes to all client inputs.
- Check for accounts with weak or old passwords.
- Check to make sure that numeric inputs are integers before passing them to SQL queries.
- Eliminate unnecessary accounts.
- Employ needed stored procedures with embedded parameters through safe callable interfaces.
- Ensure that patches on the server are up to date and properly installed.
- Limit the use of dynamic SQL queries, if possible.
- Limit user inputs to one query, preventing multi-statement attacks.
- Monitor logging procedures.
- Practice the principle of least privilege regarding access to the database.
- Remove stored procedures that are not needed. Candidates include xp_sendmail, sp_makewebtask, master..xp_cmdshell, and xp_startmail.
- Run database applications from a low-privilege account.
- Sanitize client-supplied input by filtering data according to least privilege, beginning with numbers and letters. If it is necessary to include symbols, they should be converted to HTML substitutes.
- Screen input strings from users and URL parameters to eliminate single and double quotes, semicolons, back slashes, slashes, and similar characters.
- Set appropriate privileges for stored procedures.
- Set security privileges on the database to the least needed.
- Use bound parameters to create an SQL statement with placeholders such as ? for each parameter, compile the statements, and execute the compilation later with actual parameters.
Automated SQL Injection Tools
A series of automated tools have been developed for finding SQL injection vulnerabilities and supporting SQL injection attacks. A summary of a number of the popular SQL injection tools along with a brief description of their function is given as follows:
- 1) SQLMAP – One of the most popular open source penetration testing tool for detection and exploitation of SQL Injection flaws. In Kali Linux, its already been installed in every version. SQLMap can even be integrated with Burp Suite, a proxy intercepting tool.
Download Link – https://github.com/sqlmapproject/sqlmap
- 2) BBQSQL – Its one of the most famous Blind SQL Injection Exploitation Tool written in Python and having an interactive UI to make setting up attacks much easier.
Download Link – https://github.com/Neohapsis/bbqsql
- 3) SQLiv – Its not an exploitation tool but it scans the whole internet wrt to the SQL Injection dork by Bing, Google or Yahoo which works on Reverse domain Scanning algorithm.
Download Link – https://github.com/Hadesy2k/sqliv
- 4) The Mole – The Mole is a command line interface SQL Injection Exploitation Tool built in Python Language and is able to exploit both union and blind boolean based injections.
Download Link – https://github.com/tiankonguse/themole