Many of the initial attack vectors uncovered by the Foregenix Digital Forensics and Incident Response Team are as a result of successful SQL injection attacks (SQLi), especially for those merchants who elect to use bespoke built sites. ECommerce environments, by nature, combine a website with a database for product details and user administration, and therefore if not correctly handled leave them vulnerable to SQLi.
The good news is SQLi are preventable with the correct security approach.
- Validate and sanitize all user input; assuming all input to be bad, using prepared statements, parameterised queries or stored procedures where applicable. PHP's 'mysqli::real_escape_string' is NOT an acceptable approach on its own
- Maintaining a regular update and patching policy; ensuring updates and patches are implemented as soon as they are released
- Implement a web application firewall; as provided by Foregenix' own eCommerce security solution FGX-Web
- Minimise the attack surface; reducing privileges to the least possible, and removing all unnecessary functionality
- Implement a policy of regular password changes; all passwords should be change every 90 days as a minimum. Passwords should also be complex in nature with a minimum length of seven characters and include both numeric and alphabetic characters
All of the above are requirements of PCI DSS and should be implemented by all merchants. Read more on our latest blog about Security and PCI DSS for eCommerce businesses.
Between 35,000 and 40,000 credit cards exposed to hackers after coding errors led to SQL Injection.