CHAPTER 7
Database Security Principles
SQL injection
Setting database permissions
Stored procedures
Insecure direct object references
Databases are at the heart of virtually every modern web application. So much of what we really care about securing—sales records, credit card numbers, login credentials, all of our vital information—is stored in databases. You’d be hard pressed to find a web application more sophisticated than “Hello World” that doesn’t rely on databases to some extent: Even online games use databases to at least store high-score data (and there’s big money to be made in online games, too: just ask Zynga or Blizzard!).
Attackers know the value of databases too. For a three-year period beginning in 2005, a hacker named Albert Gonzalez and a small group of his accomplices broke into the online databases of multiple companies, including:
TJ Maxx
Heartland Payment Systems
Hannaford Brothers
7-Eleven
Dave & Buster’s
DSW
Office Max
Sports Authority
Forever 21
Barnes & Noble
Boston Market
BJ’s Wholesale Club
In all, over 100 million people had their personal data, including their credit card numbers, stolen by Mr. Gonzalez and his colleagues, and this was just the work of one single, small hacker group.
Albert Gonzalez originally pled guilty to these crimes and was sentenced to 20 years in prison. However, as of this writing, he has petitioned the court to withdraw his guilty plea with the claim that he conducted the attacks while he was working undercover as a United States Secret Service informant.
In this chapter, we’ll discuss how to best secure your databases from outside attack. We’ll start by taking a look at SQL databases and SQL injection. SQL injection is the attack that Albert Gonzalez used, and is one of the most widespread types of attacks against SQL databases. We’ll see a demonstration of exactly how hackers use SQL injection to break into your site, and we’ll learn the best methods of defending against it. Next, we’ll move on to some best practices around setting database permissions and writing stored procedures. We’ll finish the chapter with a look at insecure direct object reference vulnerabilities, a very common type of vulnerability and one of the most easily exploited, even by “attackers” with absolutely no technical knowledge.