What is SQL injection?
First, let’s understand what an injection attack is before we delve into the mechanics behind a SQL injection attack. An injection attack is a type of a cyber-attack in which the attacker supplies untrusted input to a program. This input alters the execution of the attacked program. There are different types of injection attacks including Code Injection, Cross-Site Scripting (XSS), CRLF Injection, Email Header Injection, Host Header injection, LDAP Injection, OS Command Injection, SQL Injection (SQLi), and XPath injection. Today let’s focus on SQL injection.
An SQL injection is a type of injection attack that enables malicious alteration of SQL statements. SQL is a language used to write queries to a database. Some popular databases using SQL are MySQL, Oracle, Microsoft SQL Server, and PostgreSQL. SQL statements control a database server behind a web application. When hackers identify a vulnerability in a SQL statement, they can use a SQL injection attack to bypass application security measures. Using such an attack, they can access and explore authentication and authorization of a web page or a web application and retrieve the entire content of the SQL database. With such privilege as offered by a successful SQL injection attack, the hacker can add, modify, and delete records found in the database.
Any website can be a victim of SQL attack so long as it uses a SQL database. Through this attack, a cybercriminal may gain unauthorized access to the sensitive data on a website. Such data includes transaction details, personal data, customer information, intellectual property, and trade secrets. SQL Injection attack is one of the oldest and most common types of attack on websites. Most high profile organizations such as Microsoft, Sony Pictures, Yahoo, PBS, Heartland Payment System, and even the CIA have fallen victim to this attack.
How is SQL Injection Attack Executed?
First, the attacker must identify a vulnerable user input within the web page or web application. Web pages or web applications with SQL Injection vulnerabilities directly use such input in an SQL query. Therefore, a hacker can input malicious payload content which is the fundamental part of the attack. After this content is sent, the malicious SQL commands can be executed in the database.
A web page or web application that has an SQL Injection vulnerability uses such user input directly in an SQL query. The attacker can create input content. Such content is often called a malicious payload which is the key part of the attack. After the attacker sends this content, malicious SQL commands are executed within the database.
Types of SQLi Attack
SQLi can be categorized into three major groups: In-band SQLi, Inferential SQLi, and Out-of-band SQLi.
In-band SQLi
This is also known as Classic SQLi. It is the most common and the easiest to exploit compared to the rest of the SQLi attacks. This attack happens when the attacker is capable of using the same communication channel for both launching the attack and gathering the results. They are of two types: Error-based SQLi and Union-based SQLi.
Error based SQLi is an in-band SQL injection that uses error messages disposed of the database server to retrieve information about the database structure. In some instances, hackers can use only such messages to understand the entire database. These errors are always useful in the development phase of a web application.
Union-based SQLi is an in-band technique that uses UNION SQL operators to combine the results of more than one SELECT statement to come up with a single result. This result is then returned to be part of an HTTP response.
Inferential SQLi
Inferential SQLi is also referred to as a Blind SQL Injection attack because the attacker cannot see the result of the attack in-band as in the case of in-band SQLi attack. In this type of attack, no data is actually transferred through the web application. Instead, the attacker sends payloads and observes the response of the web application and the behavior of the database server. Through this process, the attacker reconstructs the database structure. There are two types of Blind SQLi attack: Blind-boolean-based SQLi and Blind-time-based SQLi.
Blind-boolean-based SQLi (also known as Blind-content-based SQLi) is a technique in which a SQL query is sent to the database forcing the application to return a different result based on whether the query returns a TRUE or FALSE result. The content within the HTTP response will change or remains the same depending on the result. Therefore, the attacker can deduce if the payload used returned true or false. This process is achieved even though no data is returned from the database. In this type of attack, the attacker enumerates a database, character by character, which makes this type of attack slow.
Time-based Blind SQLi
This is an inferential SQLi Injection type of attack that sends an SQL query to the database and forces the database to wait for a few seconds before responding. The waiting time is specific and short (usually in seconds). The attacker uses the response time to infer whether the result is TRUE or FALSE. Again, in this case, no data is returned from the database. This attack is also very slow when dealing with large databases since it requires the attacker to enumerate the database character by character.
Out-of-Band SQLi
This type of attack is rarely used by hackers since it depends on enabling features on the database server used by the target web application. This attack is used when the attacker cannot use the same channel for both launching the attack and gathering results. This attack technique is used as an alternative to inferential time-based techniques especially when the server responses are unstable (hence rendering the time-based attack ineffective).
Out-of-band SQLi techniques depend on the ability of the database server to make DNS or HTTP request for delivering data to an attacker. An example is the Microsoft SQL Server’s XP_ dirtree command which can send DNS requests to a server controlled by the attacker. Also, the Oracle Database’s UTL_HTTP package can send requests from SQL/PL and SQL to a server controlled by an attacker.
What are Some of the Consequences of SQL Injection Attacks?
This depends on the intent of the attacker. SQL is a query language that is designed to manage data. One can use it to access, modify and delete data. The basis is, this type of attack can give the attacker the privilege to take control of the SQL of the web application. The attacker can then access the essential data in the target website. Therefore, the attacker can do anything they want with the data. Some of the results of the SQL injection attack include:
Retrieving credentials of other users in the database
The attacker can use the accessed data to retrieve the credentials of other users within the database. This will enable the attacker to access even more confidential data from the web server. Using this data, the attacker can impersonate other users. Such users may even include administrator with all database privileges.
Altering the data in the system
SQL allows for manipulation of the data within the database. This may include changing the data or adding the data. It, therefore, means that if the attacker is after such actions, the data in the system will be corrupt after the attack. This is especially dangerous when the website contains sensitive data. For example, in a financial application, the attacker can alter balances, void transactions, or transfer money to their accounts. Such actions could lead to huge losses on the financial institution or disputes between the financial institution and the users.
Deleting records in the database
Apart from changing the data and adding new data to the database, SQL can also completely delete data from the database. This could lead to loss of records, even drop tables. Even in the case of backed-up data, deleting the data could affect the availability of the application until the data is restored. Also, recent data may be lost.
Preventing SQL Injection Attack
Avoid The Direct Use of Input
The best way to mitigate SQL Injection attack is by completely avoiding the use of input directly. Input validation and parametrized queries including prepared statements really help. The developer has to sanitize all the input, not just web form inputs such as login forms. All the potentially malicious code elements such as quoted (‘) must not be trusted, therefore, must be removed.
Disable Database Errors
Also, the visibility of the database errors on the production sites should be turned off. While these errors are useful in the web application development phase, they should be disabled or logged to a file with restricted access since they can be used by SQL Injection to gain the information about the web database.
Use Updated Firewall
If an SQL Injection vulnerability is discovered through a scan, fixing it immediately may be difficult. For instance, the vulnerability may be in the open source code. In this scenario, a web application firewall can be used to temporarily sanitize the input while looking for a permanent solution.
Conclusion
SQL Injection is a common attack on applications and web databases. However, its consequence can be severe on the target system. Therefore, it is important to take precaution and employ the right security policy to ensure your application or web database is secured. Take action today to protect your data.