Many developers don’t realize that by introducing security issues in their code they may be making a hacker rich. There is a bustling market for software flaws such as buffer overflow or SQL injection.

Case in point: The French company Vupen notoriously develops and acquires zero-day vulnerabilities and does not disclose them to vendors. At a Pwn2Own contest in 2012, the hackers from Vupen refused to share the details of a flaw in Chrome despite the fact that Google was offering a $60,000 reward. Instead, they decided to keep the information for their well-paying customers, Forbes reported.

The Types of Hackers

The world of hackers is split into three main categories:

  • White-hat hackers are the ones who abide by the rules of responsible disclosure, notifying companies about vulnerabilities before making them public. Often they don’t require any other reward than recognition for identifying the issue. You may also hear them referred to as ethical hackers.
  • Gray-hat hackers operate at the boundary of the law. They may be selling zero-day vulnerabilities to the bad guys or governments, although they would not break the law themselves.
  • Black-hat hackers are the cybercriminals. They use zero-days to break into systems and steal data.

I am proud to say that I count myself and the entire IBM X-Force group as part of the white-hat category. In fact, I want to push the boundary further. Instead of finding the vulnerabilities before the bad guys do, I want to prevent them from being introduced in the first place.

I want to help developers put on their imaginary hacker hats and see their code through a hacker’s eyes. This type of exercise is called threat modeling, although it may have other names such as defensive programming. One of the best places to start is the most infamous software weakness of all: SQL injection.

A Notorious Example of an SQL Injection Attack

At some point in 2012, according to X-Force research, SQL injection attacks were responsible for more than half of all data breaches where the attack type had been disclosed. While that number has decreased in 2015, it is still one of the main attack vectors being used.

In 2008, cybercriminals made off with information from as many as 100 million debit and credit cards in the Heartland Payment Systems data breach. At the time, it was the largest data breach ever, and SQL injection was the culprit.

No wonder that SQL injection figures at the very top of the two most recognized lists of software weaknesses: OWASP Top 10 and SANS Top 25.

What Is the Programming Flaw?

SQL injection gets introduced when a developer concatenates user input into a database query. Let’s look at an example:

The code selects from the users table any record that matches the specified username and password. Leaving aside the fact that the password is stored in cleartext, the query can be manipulated and transformed by the user, which is never good.

Let’s say the user enters the following text as the username: admin’–.

The query changes as follows:

As a result, the user will login as the administrator.

The attacker will likely not stop here. As in the case of Heartland Payment Systems, the cybercriminal will take the attack to the next level and try to execute commands on the database server.

One way to do that is via the xp_cmdshell function in the case of MS SQL servers:

How to Prevent SQL Injection

A specific SQL injection software defense is the use of parameterized statements. The following example in Java uses a PreparedStatement class rather than concatenating the user-provided strings in a query.

This effectively prevents the injection portion of the attack in the Java code.

Word to the wise: Be careful with stored procedures. The Java code may be safe, but if the SQL code allows injection, there’s still a problem. This situation occurs when the SQL code uses the EXEC statement to execute commands constructed from the user input.

A more secure type of defense is input validation. Having an input validation framework is an excellent way to prevent all kinds of zero-day exploits — not just SQL injection. For example, why would you need to have single quotes or semicolons in a credit card number or numeric user ID? Many user-provided parameters only need to be alphanumeric, and that should be the default rule.

The best way of handling user input is with a white-listing approach. Use the most restrictive rule by default and allow special characters only by exception. This will greatly reduce the attack surface for many vectors.

Watch the on-demand webinar: Uncover What’s Inside the Mind of a Hacker


The information above should hopefully help developers cause headaches for the gray- and black-hat hackers. Every time you use a prepared statement and enforce input validation, you are taking money away from attackers and saving your company lots of it.

The average cost of a data breach in the U.S. is $3.8 million. One zero-day vulnerability is enough to cause a data breach — even the biggest breach of the century.

You can also watch a video demo of SQL injection attacks to learn more about this threat.

To learn how an SQL injection vulnerability may have contributed to one of largest data breaches in modern history, read the recent blog by my colleague Neil Jones.

This is Part 1 in our series that delves inside the mind of a hacker. Be sure to read Part 2 on OS command injection and Part 3 on memory flaws.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read