Introduction to SQL Injection

A SQL injection is a technique that attackers use to gain unauthorized access to a web application database by adding a string of malicious code to a database query.

A SQL injection (SQLi) manipulates SQL code to provide access to protected resources, such as sensitive data, or execute malicious SQL statements. When executed correctly, a SQL injection can expose intellectual property, customer data or the administrative credentials of a private business.

SQL injection attacks can be used to target any application that uses a SQL database, with websites being the most common prey. Common SQL databases include MySQL, Oracle and SQL Server.

SQL injections are considered one of the most common security exploits, as evidenced by their presence on the list of OWASP top 10 threats to web application security. The risk of SQLi exploits and the damage they can cause have both grown with the availability of automated tools for executing SQL injections. In the past, the likelihood of an enterprise being targeted with a SQL injection was somewhat limited because attackers had to carry out these exploits manually. 

How does a SQL injection attack work?

A SQL query is a request for some action to be performed on an application database. Queries can also be used to run operating system commands. Each query includes a set of parameters that ensure only desired records are returned when a user runs the query. During a SQL injection, attackers exploit this by injecting malicious code into the query’s input form.

The first step of a SQL injection attack is to study how the targeted database functions. This is done by submitting a variety of random values into the query to observe how the server responds.

Attackers then use what they’ve learned about the database to craft a query the server will interpret and then execute as a SQL command. For example, a database may store information about customers who have made a purchase with customer ID numbers. Instead of searching for a specific customer ID, an attacker may insert “CustomerID = 1000 OR 1=1” into the input field. Since the statement 1=1 is always true, the SQL query would return all available customer IDs and any corresponding data. This allows the attacker to circumvent authentication and gain administrator-level access.

In addition to returning unauthorized information, SQL attacks can be written to delete an entire database, bypass the need for credentials, remove records or add unwanted data.  

How can a SQL injection attack be detected and prevented?

If a SQL injection attack is successfully carried out, it could cause extensive damage by exposing sensitive data and damaging customer trust. That’s why it is important to detect this type of attack in a timely manner.

Web application firewalls (WAFs) are the most common tool used to filter out SQLi attacks. WAFs are based on a library of updated attack signatures and can be configured to flag malicious SQL queries in web applications.

To prevent a SQL injection attack from occurring, businesses can follow these practices:

1. Train employees on prevention methods.

It’s important that IT teams — including DevOps pros, system administrators and software development teams — receive proper security training to understand how SQLi attacks happen and how they can be prevented in web applications.

2. Don’t trust user input.

Any user input provided in a SQL query increases the likelihood for a successful SQL injection. The best way to mitigate this type of risk is to put security measures around user input.

3. Use an allowlist instead of a blocklist.

Validating and filtering user input via an allowlist, as opposed to a blocklist, is recommended because cybercriminals can usually bypass a blocklist.

4. Perform routing updates and use the newest version of applications.

Outdated software is one of the most frequent causes of SQL injection vulnerabilities. Older technology is unlikely to have SQLi security built in, and unpatched software is frequently simpler to manipulate. This also applies to programming languages. Older syntax and languages are more open to attack. Use PDO, for example, in place of older MySQL.

5. Use validated prevention methods.

Query strings written from scratch offer insufficient protection against a SQLi attack. The best way to protect web applications is through input validation, prepared statements and parameterized queries.

6. Perform regular security scans

Regularly scanning web applications will catch and remedy potential vulnerabilities before they do serious damage.

Example Of SQL Injection

Attackers planning to execute a SQL injection try manipulating a standard SQL query by exploiting non-validated input vulnerabilities in a database. There are several ways to execute such attacks; the following example gives a basic idea of how SQL injection works.

This example shows how attackers may exploit concatenation weakness. The code below results in the current username and searches for items matching a specific item name, where the owner is the current user.

...
string userName = ctx.getAuthenticatedUserName();
string query = "SELECT * FROM items WHERE owner = "'"
                + userName + "' AND itemname = '"
                + ItemName.Text + "'";
...

On combining the username and item name, you get the following query:

SELECT * FROM items 
WHERE owner =
AND itemname = ;

The challenge, in this situation, is the original code uses concatenation to combine data. 

The attacker may use a string such as ‘name’ OR ‘a’=’a’ as the item name. The condition ‘a’=’a’ always evaluates to true. Hence, the SQL statement will hold true for every item in the table. 

Now the SQL statement changes to the following:

SELECT * FROM items
WHERE owner = 'john'
AND itemname = 'name' OR 'a'='a';

To put it simply, it’s the same as SELECT * FROM items;

Therefore, the above query will return the data of the entire table, giving the attacker unauthorized access to sensitive data.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *