When it comes to your website there are a number of different areas that can be exploited. Sometimes these areas are hidden, other times the aspects of your website that are putting you at risk are in plain sight.
Consider a simple search bar located anywhere on your website. A legitimate use of this search control allows a user to submit a word or a phrase that is used to search your company’s SQL database and return information that matches your search.
When a legitimate user submits the search word or phrase, such as: typing “web application security” into the search bar on Wikipedia, an SQL query is generated from this submitted data and sent to the database for searching. In other words, the web application that controls the search page will communicate with the database through a series of planned commands so as to retrieve matching data.
A hacker may use this same search field, but construct the submitted phrase such that it will request some operation other than a search be performed on the database. They do this with specially crafted SQL commands that the average computer user is unaware of.
The result of this SQL injection could be as benign as returning a version of the database or as devious as erasing the entire database itself. In an even more menacing form, by using a modified request, the hacker might be able to access and return data that has nothing to do with the website itself. Payroll or credit card data for instance.
Just because hackers can use this type of code injection technique to exploit security vulnerabilities doesn’t mean that you should remove the search control feature from your website. For the average user, a search bar is very valuable! The vulnerabilities exploited by SQL injections occur at the database layer of your web application, so in order to protect your site it is important to have your web application evaluated. An evaluation will detect the SQL injection flaws and determine the web application software that is the source of these potentially fatal flaws. A security-aware developer can then repair the flaws. But remember, the first step is always the evaluation.
What features of your website have you concerned about it’s security? Leave us a comment or a question below!