SQL Injection Strikes again – WAF is here

It has been over a decade since SQL Injection Vulnerability was discovered, but it still continues to rule the charts. Recently the Web server that housed payment card data for a New York tourism company’s was breached using SQL Injection.

The online breach, which led hackers to cardholder information for 110,000 credit cards, was facilitated via SQL injection — one of the most frequent modes of attack hackers use to illegally acquire payment-card details.



Twin America LLC (d.b.a., City Sights NY) reportedly discovered the breach in late October, after a programmer noticed unauthorized script had been loaded to the server. The company on Dec. 9 notified the New Hampshire Attorney General of the breach, after it determined that some 300 New Hampshire residents had been impacted by the attack.



According to Verizon Business’ 2010 Payment Card Industry Compliance Report released in October, 24 percent of payment-card breaches result from SQL injections. When it comes to card breaches, SQL injections come second only to malware, which provide fraudsters remote access by bypassing normal authentication mechanisms.



Secure coding is one of the best ways to rein in SQL injection attacks. Lately Web Application Firewalls have been introduced to mitigate security.



A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. By customizing the rules to web application, many attacks can be identified and blocked. The effort to perform this customization can be significant and needs to be maintained as the application is modified.