Last week the folks over at hackregiment.com succeeded in attacking the mysql.com website with multiple blind SQL injections. With the data they were able to collect, the team showed all of the database table structure on their web site and more or less proved that they could have done serious damage if they wanted to as well as share detailed records about users on the site. If Blind SQL injection is new to you, you can check out more about it at https://secure.wikimedia.org/wikipedia/en/wiki/SQL_injection#Blind_SQL_injection
The gist of this approach is that the output only gives hints as to the success of the attack and the hacker needs to derive the information they desire through many queries that extract one small bit of information at a time.
The spin the story gave however wasn’t fair. To the casual administrator it looks like MySQL is at fault but that isn’t the case. The bug which allowed the attack was in the front end web application — if the web app lets the SQL query through, the SQL server will blindly execute as it should. What they really needed to look at was either auditing their code (time consuming and not always possible, but an ideal outcome) or leveraging something like a Web Application Firewall like what the NetScaler has.
Database security always starts with the application. If you don’t get the app right, you’re going to have big problems. In theory, we all write perfect code that never fails but in reality there is a reason why banks (who do invest in code audits) leverage app firewalls. If you haven’t poked into the topic before, take a gander at the age-old but still very relevant OWASP Top 10. Stefan Drege also wrote a good introductory blog on the topic over Here at Citrix Community site.
News of the day: see SQL injection attack hits hundreds of thousands of websites. I guess some folks were busy on April Fool’s day…