Mitigating SQL Injection Attack Threats

US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners. US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public.

All IT Downloads from US-CERT » | Visit US-CERT »

From US-CERT | Jan 30, 2012

Structured Query Language (SQL) injection is an attack technique that attempts to subvert the relationship between a Web page and its supporting database, typically in order to trick the database into executing malicious code. SQL injection usually involves a combination of over-elevated permissions, unsanitized/untyped user input, and/or true software (database) vulnerabilities. Since SQL injection is possible even when no traditional software vulnerabilities exist, mitigation is often much more complicated than simply applying a security patch.

The following mitigation strategies and best practices can be used to minimize the risks associated with this attack vector: As with any system or architecture changes, local administrators are best positioned to know which strategies are appropriate for their specific networks and systems.

Included in this ZIP file are:

• Intro Page.doc
• Terms and Conditions.pdf
• Mitigating SQL Injection Attack Threats.pdf

Related IT Downloads

• 

  Glossary of Key Information Security Terms

  GLOSSARIES

  Master the most important concepts in enterprise security.

• 

  Wireless Access Point Policy

  POLICIES

  This policy lets users know that rogue access points are not allowed on the network.

• 

  Protect Your Workplace Campaign Brochure

  POLICIES

  Keep users informed with info from the Department of Homeland Security and CERT.