SQL injection is a hacking technique that was discovered more than fifteen years ago and is still proving to be devastatingly effective today, remaining a top database security priority. It was used in the run-up to the 2016 U.S. presidential election to compromise the personal data of 200,000 Illinois voters, as well as in high-profile attacks against organizations such as Sony Pictures, PBS, Microsoft, Yahoo, Heartland Payment Systems, and even the CIA.
SQL, or Structured Query Language, is the command-and-control language for relational databases such as Microsoft SQL Server, Oracle, and MySQL. In modern web development, these databases are often used on the back end of web applications and content management systems written in PHP, ASP.NET or other scripting languages – meaning that both the content and behavior of many websites is built on data in a database server.
A successful attack on the database that drives a website or web application, such as a SQL injection login bypass attack, can potentially give a hacker a broad range of powers, from modifying web site content (“defacing”) to capturing sensitive information such as account credentials or internal business data. A SQL injection commands list is essentially the same as a list of database commands, include potentially catastrophic ones such as DROP TABLE.
With advancement in technology, modern society has accomplished many unthinkable goals. However, as technology develops, so does the risk involved in using it. Same is the case with web applications. Today’s applications are fraught with vulnerabilities. Since 2003, SQL Injection has remained in the OWASP Top ten list of application security risks that companies are wrestling with. In this article, we will explore SQL Injection Attack and ways to prevent it.
What is SQL Injection Attack?
SQL Injection (SQLi) is an injection attack where an attacker executes malicious SQL statements to control a web application’s database server, thereby accessing, modifying and deleting unauthorized data.
What can SQL Injection do?
There are a lot of things an attacker can do when exploiting an SQL injection on a vulnerable website. By leveraging an SQL Injection vulnerability, given the right circumstances, an attacker can do the following things:
- Bypass a web application’s authorization mechanisms and extract sensitive information
- Easily control application behavior that’s based on data in the database
- Inject further malicious code to be executed when users access the application
- Add, modify and delete data, corrupting the database, and making the application or unusable
- Enumerate the authentication details of a user registered on a website and use the data in attacks on other sites
How do SQL Injection attacks work?
A developer usually defines an SQL query to perform some database action necessary for his application to function. This query has one or two arguments so that only desired records are returned when the value for that argument is provided by a user.
An SQL Injection attack plays out in two stages:
Research: Attacker gives some random unexpected values for the argument, observes how the application responds, and decides an attack to attempt.
Attack: Here attacker provides carefully crafted value for the argument. The application will interpret the value part of an SQL command rather than merely data, the database then executes the SQL command as modified by the attacker.
Consider the following example in which a website user is able to get the values of ‘$user’ and ‘$password’, such as in a login form:
This particular SQL statement is passed to a function which in turn sends the string to the connected database where it is parsed, executed and returns a result.
#Define POST variables
uname = request.POST[‘username’]
passwd = request.POST[‘password’]
#SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”
#Execute the SQL statement
Now, if the input is not properly sanitized but the application, the attacker can easily insert carefully crafted value as input. For example something like:
So, what’s happening here? The highlighted part is the attacker’s input, it contains 2 special parts:
- OR ‘1’ = ‘1’ is a condition that will always be true, thereby it is accepted as a valid input by the application
- –(double hyphen) instructs the SQL parser that the rest of the line is a comment and should not be executed
Once the query executes, the SQL injection effectively removes the password verification, resulting in an authentication bypass. The application will most likely log the attacker in with the first account from the query result — the first account in a database is usually of an administrative user.
Note that this is just one way of exploiting the SQL Queries to get the necessary information in an unofficial way. SQL Injection attacks are divided into multiple types.
What are the different types of SQL Injection attacks?
Attackers can extract data from servers by leveraging SQL Injection vulnerability in various ways. SQL Injection can be classified into following major categories:
Unsanitized input is a common type of SQLi attack in which the attacker provides user input that isn’t properly sanitized for characters that should be escaped, and/or the input isn’t validated to be the type that is correct/expected.
For example, a website used to pay bills online might request the user’s account number in a web form and then send that to the database to pull up the associated account information. If the web application is building a SQL query string dynamically with the account number the user provided, it might look something like this:
While this works for users who are properly entering their account number, it leaves the door open for attackers. For example, if someone decided to provide an account number of “‘ or ‘1’ = ‘1”, that would result in a query string of:
Due to the ‘1’ = ‘1’ always evaluating to TRUE, sending this statement to the database will result in the data for all customers being returned instead of just a single customer.
Blind SQL Injection
Also referred to as Inferential SQL Injection, a Blind SQL injection attack doesn’t reveal data directly from the database being targeted. Rather, the attacker closely examines indirect clues in behavior. Details within HTTP responses, blank web pages for certain user input, and how long it takes the database to respond to certain user input are all things that can be clues depending on the goal of the attacker. They could also point to another SQLi attack avenue for the attacker to try.
This attack is bit more complex and may be used by an attacker when they cannot achieve their goal in a single, direct query-response attack. Typically, an attacker will craft SQL statements that, when presented to the database, will trigger the database system to create a connection to an external server the attacker controls. In this fashion, the attacker can harvest data or potentially control behavior of the database.
A Second Order Injection is a type of Out-of-Band Injection attack. In this case, the attacker will provide an SQL injection that will get stored and executed by a separate behavior of the database system. When the secondary system behavior occurs (it could be something like a time-based job or something triggered by other typical admin or user use of the database) and the attacker’s SQL injection is executed, that’s when the “reach out” to a system the attacker controls happens.
How can SQL Injection be prevented?
There are a lot of easy ways to avoid falling prey for SQL Injection attacks and to limit the damage they can cause. Few of them include:
- Discover SQL Injection vulnerabilities by routinely testing applications both using static testing and dynamic testing
- Avoid and repair injection vulnerabilities by using parameterized queries and Object Relational Mappers (ORMs). This types of queries specify placeholders for parameters so that the database will always treat them as data rather than part of a SQL command.
- Remediate SQL Injection vulnerabilities by using escape characters so that special characters are ignored.
- Mitigate the impact of SQL Injection vulnerabilities by enforcing least privilege on the database, this way each software component of an application can access and affect only the resources it needs.
- Use a Web Application Firewall (WAF) for web applications that access databases. This can help identify SQL injection attempts and sometimes help prevent SQL injection attempts from reaching the application as well.
SQL injection attacks are popular attack methods for cybercriminals, but by taking the proper precautions such as ensuring that data is encrypted, performing security tests and by being up to date with patches, you can take meaningful steps toward keeping your data secure.
There are a variety of ways a hacker may infiltrate an application due to web application vulnerabilities.
If this has spiked your interest and you want to know more about application security, then check out our Cybersecurity Certification Training which comes with instructor-led live training and real-life project experience. This training will help you understand cybersecurity in depth and help you achieve mastery over the subject.