Most websites are designed to always be available and accessible. Because most sites are always available, attackers can continuously attack them. To this end, they have developed many techniques and exploits to compromise web applications, Application Programming Interfaces (APIs), and the data at their core. Structured Query Language (SQL) injection attacks stand out as one of the most notorious.
It’s not difficult to imagine a scenario where a malicious actor effortlessly bypasses your website’s organic defenses and gains unauthorized access to view sensitive data, corrupt crucial information, or even take complete control of your database server. This nightmare can become a reality if SQL injection vulnerabilities are present in a web application. To protect the data that your business and customers rely on, it is imperative for cybersecurity professionals and application and API developers to understand the mechanics of SQL injection, recognize its devastating impact, and implement adequate controls.
What is SQL?
SQL is a standardized programming language designed to manage, interact with, and manipulate relational databases. Database administrators, developers, and analysts widely use it to perform various operations on data stored within relational databases.
So why use SQL in the first place? Well, there are several key features of SQL that make data management more efficient:
Declarative language.
SQL allows users to specify what data they want to retrieve or manipulate without requiring them to describe the exact steps to get it. This high-level approach simplifies database interactions.
Standardization.
SQL is standardized by organizations such as the American National Standards Institute (ANSI) as well as the International Organization for Standardization (ISO), which ensures consistency and compatibility across different database systems and the applications that connect to them.
Versatility.
SQL is versatile and can be used for a wide range of operations, including data querying, insertion, updating, deletion, and database schema management.
Portability.
SQL queries can often be executed across different database systems with minimal changes, making it a very portable language.
What is an SQL Injection vulnerability?
Like most things that are created for legitimate and useful purposes, SQL has been manipulated by malicious actors for their own nefarious ends. SQL injection is a code injection technique that exploits vulnerabilities within an application’s software by manipulating the SQL queries that an application or API creates. The exploit uses the value of input variables in combination with other parts of an SQL statement, such as keywords, quotation marks, or semicolons, to create a database query. This process is called “string concatenation”.
Four main SQL injection types are utilized:
1. Classic SQL injection.
This technique involves direct manipulation of user input to alter the SQL query. When an individual enters their login information on a site (for example, “login=user AND password=password”), the backend database evaluates that statement and looks for a return set. If a set of values is returned, the user is allowed access, and the application creates a session token for the user. If no set of values is returned, the user is denied access. Malicious actors craft SQL statements so that a value set is always returned, granting them access to the site. For example, entering “‘OR 1=1;–” into the username form field will always return a value set because 1 will always equal 1.
2. Blind SQL injection.
When a malicious actor can’t see the results of their SQL queries directly, they infer data by analyzing the application’s behavior.
Blind SQL Injection can be further divided into two sub-categories:
- Boolean-based blind SQL injection: Malicious actors send queries that return true or false, allowing them to deduce information from the application’s responses. An example of a Boolean-based blind SQL injection is where a malicious actor knows a username but not the password, so they could craft a SQL statement like “admin’ AND SUBSTRING(password, 1, 1,) = ‘a’ –”. This would check to see if the password starts with the letter “a”, and if the query returns a successful login, it indicates the condition was true. The malicious actor then knows the guessed character matches the password in that position. If the query returns an unsuccessful login, indicating the condition was false, the malicious actor knows the guessed character does not match. The malicious actor would then continue through the alphabet until a true statement is achieved and the password is complete.
- Time-based blind SQL injection: Malicious actors execute SQL queries that cause time delays, allowing them to infer information based on the response time. An example of a time-based blind SQL injection would be “admin’ AND IF(SUBSTRING(password, 1, 1) = ‘a’, SLEEP(5), 0) –”. If the query takes significantly longer to respond (i.e., 5 seconds), that will indicate that the guessed character matches the password at that position. If the query responds quickly or within a normal time, that would indicate that the guessed character does not match.
3. Error-based SQL injections.
A malicious actor looks to leverage a database’s error messages to extract sensitive information. Unlike other SQL injection techniques, error-based SQL injections don’t require the application to display the results of the injected SQL query. An example of this type of injection is “SELECT * FROM users WHERE username = ‘ ‘ AND 1=2 UNION SELECT @@version –”. The UNION SELECT portion of this injection attempts to retrieve the database server version. However, due to the syntax error caused by the extra single quote, the database will display an error. While this error might not directly reveal the database version, it would confirm that the database is susceptible to this type of attack and could further manipulate the SQL statement to gain access to different columns or functions that expose more database information. This includes table names, column names, or even sensitive data.
4. Union-based SQL injection.
Malicious actors utilize the SQL “UNION” operator to combine the results of two or more “SELECT” statements into a single result. This allows a malicious actor to retrieve data from other database tables. An example of this type of SQL injection would be “SELECT name, description FROM products WHERE name = ‘’ UNION SELECT username, password FROM users –‘;”. The second part of the statement is where the injection comes in and tries to access information in another table (i.e., the “user” table), which is combined with the results of the original query.
Impacts of a successful SQL Injection attack.
If a malicious actor can successfully execute a SQL Injection attack, it could have severe consequences for an organization.
Data breach.
If malicious actors can gain unauthorized access to an underlying database, they will steal sensitive data such as personal information, financial records and/or proprietary data. Once the malicious actors can exfiltrate data, they will use it for subsequent credential stuffing and account takeover attacks or sell that information on the dark web for financial gain.
Data corruption.
Malicious actors could also alter or delete data within the backend database, leading to data integrity issues.
Authentication bypass.
Another potential impact is a malicious actor gaining unauthorized access to other applications by bypassing authentication mechanisms since they would be authenticated already on the backend database.
Remote code execution.
In some cases, SQL Injections could lead to the execution of arbitrary commands on the underlying server, which could compromise the entire system.
Financial loss and reputational damage.
The direct and indirect costs associated with data breaches and loss of customer trust.
How to mitigate against SQL Injections.
There are several mitigation techniques that organizations can employ to reduce the risk of being affected by a successful SQL Injection.
Web Application Firewall (WAF).
By employing a WAF in front of web applications help reduce the risk of SQL Injection by filtering and monitoring HTTP traffic, validating and sanitizing inputs, and employing advanced detection techniques.
Parameterized queries (prepared statements).
Using parameterized queries ensures that user inputs are treated as data rather than executable code. This is one of the most effective ways to prevent SQL Injection.
Stored procedures.
Encapsulating SQL queries within stored procedures helps separate the data from the code, reducing the injection risk.
Input validation and sanitization.
Validating and sanitizing all user inputs ensures that only expected data is processed by the application. Use allowlists to allow only known-good inputs and reject or escape any potentially harmful characters.
Least privilege principle.
Database accounts used by the application should have the minimum necessary privileges which limits the potential damage a malicious actor could cause if they are able to successfully execute a SQL Injection attack.
Regular security audits.
Conducting regular security audits and code reviews could help to identify and address vulnerabilities before they can be exploited.
Use of Object-Relational-Mapping (ORM) frameworks.
ORMs abstract database interactions and help prevent SQL Injections by using safe APIs for database operations.
Fighting against SQL Injection.
In an era of increasingly sophisticated breaches and cyberthreats, the importance of defending your web applications from SQL injection attacks cannot be overstated. Implementing adequate prevention controls, such as Web Application Firewalls (WAF), parameterized queries, stored procedures, and rigorous input validation, is the bare minimum for every web application and API.
Adhering to the principle of least privilege and conducting regular security audits further fortifies your defenses. By proactively addressing vulnerabilities and employing these best practices, organizations can protect their sensitive data, maintain customer trust, and ensure the resilience and integrity of their digital infrastructure. In the fight against SQL injection, a proactive and layered security approach is your best ally.
To learn more about how our solutions can help protect your organization against SQL injection attacks, speak to our sales team.
