Amidst the research and engineering in security, database security remains an issue. The hacking process is wireless and involves codes that the security systems use to protect the databases.
Structure Query Language (SQL) is the program that runs databases. The coded information is standardized globally, although there exist different types of SQL programs. Hackers utilize different hacking tools to login into the databases. Hackers hack into the databases by changing “the intended effect of an SQL query by inserting new SQL keywords or operators in the query” (Halfond, Viegas, & Orso, 2006, p. 1). The introduced query is recognized by the security features but works to alter the security system, such as the change of administrator password.
Entry of these malicious codes is done through; cookies, hypertext transfer protocol (http) header, or second-order injections. The process of injection is (Halfond, Viegas, & Orso, 2006, p. 2);
- Injection through caches- cache refers to the information stored on the user’s device. Malicious hackers’ alter the information stored so that when the user revisits a website, the code stored in the cache is downloaded and alters the database according to the hackers’ preference.
- Injection through HTTP- communication between a client and a database is through the HTTP header, which conveys the request and feedback instructions. Hackers alter the information in the header so that when a database downloads the information, the code performs the hacker’s prompt.
- Second-order injection- the attacker inputs the code in the login and other areas. The code manifests itself in another area apart from the point of injection.
Detection and prevention of the attacks are difficult because the programming codes are similar to the attackers’ codes (Halfond, Viegas, & Orso, 2006, p. 5). This relates to the recent hacking of Facebook databases. The attackers were undetected because the scanning techniques could not detect these codes because they were similar to the engineering codes.
Reference
Halfond, W. G., Viegas, J., & Orso, A. (2006). A Classification of SQL Injection Attacks. Proceedings of the IEEE International Symposium on Secure Software Engineering, 1, 1-11. Retrieved from https://www.cc.gatech.edu/fac/Alex.Orso/papers/halfond.viegas.orso.ISSSE06.pdf
