Blog | G5 Cyber Security

RDS SQL Injection Fix

G5 Cyber Security

TL;DR

Blind SQL injection attacks exploit vulnerabilities in your database queries to extract data without directly seeing the results. This guide shows you how to identify and fix blind SQL injection on Amazon RDS, focusing on practical steps like input validation, prepared statements, least privilege access, and monitoring.

What is Blind SQL Injection?

Blind SQL injection happens when a web application sends database queries based on user-supplied input but doesn’t display the query results directly in the response. Attackers infer information by observing the application’s behaviour – for example, whether responses are faster or slower depending on the injected code.

How to Identify Blind SQL Injection

  1. Error Messages: While blind injection doesn’t show direct errors, look for inconsistencies in response times.
  2. Boolean-Based Injection: Attackers use queries that return different results (true/false) based on conditions they control.
  3. Time-Based Injection: Attackers inject code that causes delays if a condition is true, observing the response time to determine information.

Fixing Blind SQL Injection

  1. Input Validation: This is your first line of defence.
    • Whitelist Approach: Only allow known good characters and patterns. For example, if you expect a number, only accept digits.
    • Blacklist Avoidance: Blacklisting (blocking specific characters) is unreliable as attackers can find ways around it.
    • Data Type Validation: Ensure input matches the expected data type (e.g., integer, string).
  2. Prepared Statements (Parameterized Queries): This is the most effective defence.

    Prepared statements separate SQL code from user-supplied data. The database treats user input as data, not as part of the query itself.

    # Example in Python with psycopg2
import psycopg2
conn = psycopg2.connect("dbname=mydatabase user=myuser password=mypassword host=localhost")
cur = conn.cursor()
query = "SELECT * FROM users WHERE username = %s"
username = input("Enter username:")
cur.execute(query, (username,))
results = cur.fetchall()
  3. Least Privilege Access: Grant database users only the minimum necessary permissions.
    • Avoid using the ‘root’ or ‘admin’ account for application connections.
    • Create dedicated user accounts with limited privileges (e.g., SELECT, INSERT, UPDATE) on specific tables.
  4. Web Application Firewall (WAF): Use a WAF to filter malicious requests before they reach your application.
    • AWS WAF can help block common SQL injection patterns.
    • Configure rules based on known attack signatures and input validation criteria.
  5. Regular Security Scanning: Automate vulnerability scanning to identify potential weaknesses.
    • Use tools like OWASP ZAP or Burp Suite to perform penetration testing.
    • Schedule regular scans as part of your CI/CD pipeline.
  6. Monitoring and Logging: Track database activity for suspicious patterns.
    • Enable audit logging in RDS to record all database operations.
    • Monitor logs for unusual queries, errors, or access attempts.
    • Set up alerts for potential SQL injection attacks based on log analysis.

RDS Specific Considerations

  1. Database Activity Streams: Use RDS Database Activity Streams to capture detailed database activity, including query execution details.
  2. VPC Security Groups: Restrict network access to your RDS instance using VPC security groups. Only allow connections from trusted sources (e.g., your application servers).

Example Time-Based Injection Mitigation

If you suspect time-based injection, prepared statements will prevent the attacker from injecting SLEEP or similar functions.

Exit mobile version