An SQL injection (also known as SQLi) is a technique for the “injection” of SQL commands by attackers to access and manipulate databases. Using SQL code via user input that a web application (eg, web form) sends to its database server, attackers can gain access to information, which could include sensitive data or personal customer information.
SQL injection is a common issue with database-driven websites. Given the prevalence of such websites, this flaw is easily detected and easily exploited, and any website can be subject to an SQL injection attack.
The Open Web Application Security Project (OWASP) has noted injections as part of its OWASP Top Ten Web Application Risks.
What are SQL Queries and SQL Statements?
SQL (Structured Query Language) is a programming language used to manage online databases such as MySQL, Microsoft SQL Server, IBM db2, and PostgreSQL. A standardized language, it is used to manipulate databases in order to build and create customizable data views. For a user to access database information, SQL statements are used in the input fields.
SQL statements are used by run commands, such as accessing data, modifying entries (add/remove/update) or record removal. Meanwhile, an SQL query is a term used in the industry to describe “SQL statements that return result sets.”
SQL databases used by businesses increasingly contain more sensitive and valuable data such as usernames and passwords, credit card information, and other important information. In practice, an SQL statement is often inputted using a web application, which can then be exploited by attackers via SQL injections by entering malicious code into these HTML forms. A web page or web application that has an SQL injection vulnerability uses user input directly in an SQL query.
Why are SQL Injection Attacks Common?
SQL injection attacks have been around for years and are common due to a few reasons:
- The prevalence of SQL injection vulnerabilities on database-driven websites
- The value and attractiveness of the database server to the attacker, as it often contains critical and valuable business data.
In addition, SQL injections are common with PHP and ASP applications due to the prevalence of older functional interfaces.
Types of SQL Injections
A type of attack vector, SQL injections can be classified based on the methods that attackers use to access backend data, and fall under three broad categories: In-band SQL Injection, Blind SQL Injection, and Out-of-band SQL Injection.
- In-band SQL injections: Here, the attackers rely on the same communication channel to launch the attack and obtain their results. An example is when a web application and they are able to gain valuable information from the same channel, often using single quote characters to look for errors. From the error message, the attacker is able to analyse the text of the offending SQL statement and details about the error, and this is helpful to the attacker when creating reliable exploits for SQL injection attacks. By appending a union select statement to the parameter, the attacker can then test for access to other tables in the target database. The simplicity of In-band SQL injection is one of the reasons why it is one of the most common types of SQL injection attacks. There are two general types of in-band SQL injections: error-based (described above) and union-based.
- Blind SQL injection: This type of SQL Injection is “blind” since it does now show any error message and no data is transferred from the website database to the attacker. Instead, the attacker sends data payloads to the database and observes the response that the server provides (eg, true or false). From the responses, the attacker can then obtain sensitive information about its structure. There are two types of Blind SQL injections: boolean-based (content-based) and time-based.
- Out-of-band SQL injections: This type of attack is only available to attackers if certain features are enabled on the database server used by the web application. Attackers will often use this when the same channel cannot be used to launch an attacker and gather information. The server will be requested to transmit data to the attacker through protocols such as HTTP or DNS (assuming the server has such capacity to do so).
It is worth noting that due to the differences between the common databases, techniques for SQL injection might differ based on the specific databases. This includes syntax for string concatenation, error messages, batched queries (resulting in batched SQL injections separated by semicolons), and platform-specific APIs.
What Can SQL Injections Do?
SQL injection can happen if you offer the website visitors the ability to initiate an SQL query without applying validation of the input. SQL injection attacks allow attackers to access data, unauthorised viewing of user lists, tamper with existing data, deletion of data sets, disclose all the data in the system, destroy the data or in certain cases, they can gain administrative rights to a database which can be damaging to any business. Attackers can go around authentication of a web page or web application and retrieve the content of the SQL database.
SQL Injection Example
In one of the biggest data breaches in history, Heartland Payments Systems announced that the computers they use to process payment card transactions had been breached in 2008. The data compromised included information required to produce counterfeit credit cards, including the data coded on the card’s magnetic strip. The attackers exploited a known vulnerability to perform a SQL injection attack.
The data breach started with an SQL injection in 2007 that compromised Heartland’s database. Heartland reported that the code modified was on a web application login page that had been deployed 8 years earlier, but this was the first time the vulnerability had been exploited. This is an example of poorly coded web application software that is vulnerable to SQL injection attacks, and here the hackers managed to introduce malicious code into the company’s systems through user input.
The hackers then spent 8 months accessing the payment processing system while avoiding detection from several different antivirus systems and eventually installed a spyware program called a “sniffer” that captured the card data as payments were processed.
This real life example is over ten years old, but there are still web applications believed to contain SQL injection vulnerabilities, making SQL injection attacks a common method of cyber attack.
The company paid an estimated $145 million in compensation for fraudulent payments.
How to Prevent SQL Injection Attacks
There are a number of prevention actions that users can to do prevent SQL injection attacks:
- Using prepared statements (parameterized queries): One way to prevent SQL Injection attacks is input validation and parameterized queries including prepared statements. Prepared statements (parameterized queries) can be used to execute the same or similar SQL statements repeatedly, often with high efficiency. Instead of assembling a query string, preparestatement can be a good defence against SQL injection, because parameter values (transmitted later using a different protocol) need not be correctly escaped. If the original SQL statement template is not derived from external input, SQL injection is not an option for attackers. The developer should sanitize all inputs, not only web form inputs such as login forms.
- Stored procedures: Used correctly, the use of stored procedures can reduce the likelihood of SQL injections. This can be accomplished with of programming languages including Java, .NET, PHP, and others.
- Secure coding: It is imperative that companies employ secure coding practices in order to increase web application security.
- Regularly update and patch: Vulnerabilities in web applications and databases are regularly discovered and this is something that attackers can exploit using SQL injections. As patches and updates are released for applications and databases, users should update as soon as practicable.
- Least privilege: Database users, like users on any system, should only have as much access as they need to perform their duties, also known as the principle of least privilege. Stay away from “ALL” grants in MySQL and sysadmin role membership in MSSQL if possible.
- Firewall: Web Application Firewalls (WAF) help protect web applications by filtering and monitoring traffic between web applications and the Internet. WAFs may be able to provide a defence against attacks including SQL injections. An SQL injection vulnerability might be in open source code, and in this case, having a WAF might help protect temporarily. In addition, a WAF might be able to provide protection against new vulnerabilities while patches are being developed.
- Monitoring your attack surface: Attack surface management is the continuous discovery, inventory, classification, prioritization, and security monitoring of external digital assets that contain, transmit, or process sensitive data. This will help monitor everything outside of the firewall that attackers can and will discover as they research the threat landscape for vulnerable organization.
For a comprehensive list of how to secure SQL, check out our 11 steps to secure SQL. If you are on MySQL, check out our top tips to improve your MySQL security: https://www.upguard.com/blog/top-11-ways-to-improve-mysql-security
SQL injection of one of the Top 20 OWASP Vulnerabilities, and we cover how to fix them here.