Sirius Portal Security: SQL Injection
Vega’s Sirius web portal has been built by a team of expert developers, penetration tested by professionals, and used to protect our customers’ data successfully for decades. As you might imagine from an application with such a track record, Sirius contains many layers of protection against attack. Today we will cover a very common kind of attack, and how Sirius protects against it: SQL injection.
SQL injection attacks have been around for decades, and methods for defending against them are well understood. However, this doesn’t stop successful attacks from happening. There are still large companies having their data stolen using SQL injection. For example, in 2015 a 19-year-old stole the data of more than 150,000 TalkTalk customers, leading to a £400,000 fine for the company! With so much at stake in terms of both money and reputation, it is no wonder that we make sure that our secure Sirius web portal is secured against SQL Injection attack.
A SQL injection attack works by inserting malicious SQL (database code) into some pre-existing, legitimate SQL code. For example, consider a web page where users can search for a product by typing in the name of the product they are looking for. This page will search a table using a SQL statement, which will ask the server to search the database for products which match the user input. However, if the developers that write this functionality are not careful, the user could insert some SQL into the search box, which may then be run by the server. This could turn a request like this…
“Please give me all the product data where the product name matches the user input”
“Please give me all the product data where the product name matches the user input, and also give me all the customer credit card details from this other table in the same database”
This can’t be allowed to happen, and to make sure that it can’t happen within Sirius, we have several defences in place. Firstly, user input is sanitized before is it even passed to the database, to remove potentially dangerous content. After this, user input is passed to the database as parameters, and run as part of pre-defined stored procedures. This means that the database makes sure that the user input is the correct data type, and it won’t mistake a search string, like a product name, for a bit of SQL code to be executed.
As an additional layer of protection, the application user only has permissions to the specific procedures which are necessary for web site functionality, and does not have direct access to the database tables. This means that, even if a bad actor were to manage to run their own SQL code in the database through the web portal, they would be unable to access any of the data tables directly, and so could not simply get all the data from all the tables. But what if they compromised the application user, and were able to run the stored procedures at will? Our procedures which require the highest standards of security also require that a valid session ID is passed in, and will check that the user calling the procedures has permissions to be able to call the procedure in question.
These multi-layered measures have been successfully protecting our clients’ data for decades, and this overview demonstrates why we are confident that they will continue to offer an effective defence long into the future. If you are serious about your web portal security, and would like to learn more about what Sirius can do you for, contact us now.