SQL Injection is Still a Critical Attack Vector
First exploited more than 20 years ago, SQL injection continues to be an easy avenue for cybercriminals to steal information from a database. Attackers are constantly on the lookout for SQL injection vulnerabilities on the internet.
Why SQL injection?
- SQL injection attacks are inexpensive and easy to execute, and the aftermath can be disastrous for the victims. Undoubtedly, this method remains popular among hackers.
- As most of the applications today are data-driven and accessible on the web, SQL injection flaws are inevitable and easily exploited. Moreover, the growing popularity of shared database infrastructure has enabled hackers to abuse SQL injection vulnerabilities, impacting applications sharing the same database.
- In SQL injection attacks, perpetrators easily extract and disclose sensitive data, erase database content, forge identities, alter transactions, and force privilege escalation to become administrators of the database server.
Recent SQL injection attacks
- Recently, threat actors stole emails and password hashes for 8.3 million Freepik and Flaticon users in an SQL injection attack on the Flaticon website. Since the data breach, Freepik has been using bcrypt to hash all their user passwords and performing a full audit of internal and external security systems under external security experts.
- Hackers were found actively targeting SQL injection security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin. An influx of attacks was observed from an IP address, which tried to inject a script into the WooCommerce template hook. Apart from SQL injection, the Discount Rules for WooCommerce plugin has multiple vulnerabilities such as authorization issues and unauthenticated stored Cross-Site Scripting (XSS).
- Several Stanford students signed up for Link, a website meant for users and their crushes. The site was found vulnerable to SQL injection, which may have compromised the data of many of the users. A newspaper daily received an email from an anonymous individual, comprising user data from the site, along with an attached spreadsheet that contained email addresses, names, and crushes of about 100 users. In addition, the individual shared screenshots and a screen-recorded video of the alleged hack.
Here’s a tip
Adopt the strategies that can help in responding more securely to malicious user input fields. However, the easiest and best way to prevent SQL injection attacks is to stop the malicious inputs from occurring in the first place.