Home > SolarWinds' Database Performance Monitor SQL Injection Detection

SolarWinds' Database Performance Monitor SQL Injection Detection

For data-driven applications, security is of absolute importance. Virtually all modern tech-driven organizations must treat the protection of sensitive information as an imperative. At SolarWinds, we know that our customers value the premium we put on data-security, along with the specific defenses we have in place that keep their data out of the wrong hands. One such defense is SolarWinds® Database Performance Monitor's SQL injection detection. As all DBAs know, SQL injections are one of the most nefarious threats to a data system. For those less familiar, a SQL injection is an attack that exploits poorly validated or sanitized user inputs as they are used to construct database queries. An injection aims to gain access or destroy data by using those unsanitized inputs to alter the structure of an SQL query in ways unanticipated by its developer. Of course, destroyed or exposed data is absolutely unacceptable. A SQL injection can be used to attack any type of SQL database, which means that a reliable way to detect and stop injections is vital for a monitoring product. What does a SQL injection look like? Let's say your web app asks for USER and PASSWORD and verifies they match using the following query, PHP/MySQL: $isValidUserQuery = "SELECT 1 FROM users WHERE nick='" . $USER . "' AND pass='" . $PASSWORD . "'"; An attacker may try using

' OR 1=1 --  

as USER.  The resulting $isValidUserQuery is:

SELECT 1 FROM users WHERE nick='' OR 1=1 -- ' AND pass=''

... but 1=1 is always true, so user is considered valid! Because the system's sanitation and validation are sloppy, a simplistic workaround lets an intruder gain access to the system! So, If you have unsanitized inputs, your web app, site, or other sensitive destination is easily accessible to those whom you'd much rather keep out. And once they're in, the intruder may be able to fetch, modify and destroy data. Unfortunately, such attacks and attackers are not rare. Any public-facing site or web app is probed for unsanitized inputs rather frequently by unskilled individuals. A study in 2012 reported, “Most web applications receive 4 or more web attack campaigns per month” while “some websites are constantly under attack.” In one case, the study observed that over the course of 180 days, one website was under attack 98% of the time. Fortunately, though unskilled attackers will be able to trigger injections, they most likely will be unable to exploit them. However, the moment a skilled hacker is the one doing the probing, you're totaled. Knowing that, hopefully the frequent-but-unskilled probes will bring prompt attention to the faulty components that use unsanitized inputs. With Database Performance Monitor (DPM), we've actually built our SQL injection detection as part of our Query Analysis feature, and you can view the results of the detection as part of the Query Analysis dashboard. Profiler_Notifications.png Query_Details_-_Sample_Details.png In Sample Info, if "Failed Rules" reads "Evidence of SQL injection," you'll know you need to take action. The detector behaves according to a powerful rule, and customers have already benefitted from its efficacy. (We won’t detail the rule here, publicly, for obvious reasons.) Such a rule detects the simplest and most common case of injection, and as we gather more information, it will set a strong basis for adding further rules in the future. We hope that if you have any questions about how DPM handles data security or about the systems we've put in place to protect our systems, you won't hesitate to ask.
Avatar photo
SolarWinds
We’re Geekbuilt.® Developed by network and systems engineers who know what it takes to manage today's dynamic IT environments, SolarWinds has a deep connection to…
Read more