Posted on

Here’s how Bell was Hacked: SQL Injection Blow-by-Blow

OWASP’s number one risk in the Top 10 has featured prominently in a high-profile attack this time resulting in the leak of over 40,000 records from Bell in Canada. It was pretty self-evident from the original info leaked by the attackers that SQL injection had played a prominent role in the breach, but now we have some pretty conclusive evidence of it as well:

The usual fanfare quickly followed – announcements by the attackers, silence by the impacted company (at least for the first day), outrage by affected customers and the new normal for public breaches: I got the data loaded into Have I been pwned? and searchable as soon as I’d verified it.

Posted on

API Security Weekly: Issue 171

This week, we have news of multiple API flaws and vulnerabilities: the parcel tracking portal at DPD that may have exposed customer data, an API vulnerability in the Apache Pulsar that allowed access data in different tenants, and an SQL injection vulnerability in Casdoor API. On the more positive side, we take a look at the emerging trends in the API industry.

Vulnerability: DPD Parcel Tracking Flaw May Have Exposed Customer Data

The big news this week was the disclosure of a vulnerability in the parcel tracking portal of DPG Group, which may have exposed customer data.

Posted on

How to Check Text Inputs for SQL Injection Attacks in Java

SQL (Structured Query Language) injection is a code injection technique used to attack data-driven applications; the SQL statements are inserted into an entry field for execution and wreak havoc from there. This type of attack tends to seek and target existing security vulnerabilities within websites or other databases to acquire access to sensitive information. For example, if the field of an online form is coded incorrectly, this provides an opening for the malicious user to sneak in SQL commands that the system will consider valid and return a response containing information that can be leveraged to access the data and manipulate, modify, or destroy it from there.

Despite the growing number of organizations that have reported successful SQL injection attacks, this type of threat is often underestimated in comparison to other cyber-crimes. Due to their reliance on check-out forms for their websites, retail companies have shown to be particularly susceptible to these threats. While standard firewalls may aim at protecting your website or application from SQL injection, the potential for failure can cause serious damage and data loss for your company. The following APIs can assist in providing supplementary protection by detecting SQL injection attacks from single or multiple text inputs, and will even define the threat detection level you want to utilize.

Posted on

What is SQL Injection? How to Prevent SQL Injection

SQL injection is a type of attack where the backend database is manipulated to get access to the information that is prohibited to be shared. The data may consist of numerous items, sensitive data of the company, private customer details. The impact of this attack is very severe and disruptive for the company facing it. A successful attack will cause unauthorized viewing of the customer list, vanished tables, changes in content, the behavior of the web, and sometimes the attacker tries to get access to the administration database all the above causes are very crucial for a company to run. The attacker can continuously attack the company’s system that leads to long-term damage and undergoes unnoticed for an extended period.

Many high-profile companies have faced the attack of SQL injection and seen reputational damage, regulatory fines. SQL injection takes place only because of the companies that use the application of untrusted data like web form fields. When the web page fails to clean the cache before requesting the SQL query at the same time the attacker will also execute their SQL injection that the company will execute. 

Posted on

The Easiest Way to Securely Query Postgres in Node.js

When you’re querying Postgres, you need to choose between:

  • Using an ORM. This gives you “native” feeling APIs to query the database.
  • Using raw SQL. This gives you the ultimate flexibility and performance and gives you more transferable skills. It’s always helpful to know how to write SQL.

Postgres ORM

If you want to use an ORM to query Postgres, I recommend using https://typeorm.io. If you’re starting with a fresh project, you can use their typeorm init CLI command:

Posted on

What You Should Actually Know About Security in Ruby on Rails?

Introduction to Ruby-on-Rails

A popular development environment, Ruby on Rails features a simple syntax. The environment is accommodating by nature, allowing teams of varying sizes to work in complete harmony. Developers find it fairly easy to learn, and thus, it is one of the most popular development technology available today.

Security Issues With Ruby on Rails

Thanks to Apple, the web development framework saw an overnight upsurge in its popularity. However, in  2012, security breaches invited massive criticism from its patrons.

Posted on

The Risks of Using EXECUTE (‘SQL Script’)

Using dynamic SQL is unavoidable at times, but it is reckless to execute dynamic SQL that is created directly from strings that include values that change at execution time. It can allow SQL Injection and it is also inefficient.

SQL Prompt’s code analysis rule, BP013, will alert you to use of Execute(<string>) to execute a batch in a string, often assembled dynamically from user input. Use of this command is particularly suspect because it doesn’t allow you to parameterize values.