Logo Threat Intelligence

SQL Injection - What is it and How to Prevent Attacks?

Threat Intelligence • Jun 29, 2022

Databases are everywhere - from banking systems to grocery stores, healthcare and social media websites, they are at the heart of every program you use today. Given that they are such essential components of the modern-day business, they are also attractive targets for hackers. A common issue faced by websites or web applications that use these databases are SQL injection or SQLi attacks. 


In this blog, we’re breaking down SQLi attacks - what they are, how they work, and how you can prevent them. Keep reading to learn more.

SQL Injections -  What are They and How do They Work?

The most widely used programming language for handling relational Database Management Systems (DBMS) is Structured Query Language, or SQL. It is used to store, manipulate, and extract data from databases. 


An SQL injection is a type of vulnerability that lets hackers tamper with the database queries made by an application, allowing them to modify or delete the existing data. Attackers leverage these vulnerabilities to trick the application or website into running malicious code. They then extract data that is normally inaccessible - such as data that belongs to others, and/or any other data that the application can access. 


The consequences of a successful SQLi attack include:

 

  • Deletion, loss, or theft of confidential data
  • Defacement of websites
  • Unauthorized access to systems or accounts
  • Compromised machines and networks


Take this line of SQL code for example:


SELECT * FROM Users 

WHERE userid =

AND password =  ;


This query depends on user inputs for its return value. Now, an attacker with the userid ‘emma’ could enter the password as ‘name’ OR ‘a’ = ’a”


The condition ‘a’=’a’ is always evaluated as true, causing the query to execute the following code:


SELECT * FROM Users;


The attacker can now easily bypass the authentication requirements in the code and access all the entries in Users. 


[Code sample source: OWASP]

What are the Types of SQL Injection Attacks?

SQLi attacks can be of three types - In-band, Inferential, and Out of Band.

In-band SQLi

In this type of SQL injection attack, the attacker uses the same communication channel to launch the attack and gather data. It is the most popular mode of attack. In-band SQL attacks can be error-based or union-based. 


Error-based SQLi attacks use the error messages displayed by the database server to get information about the database. Union-based SQLi attacks merge the results of two or more SELECT statements using the UNION operator in SQL. The result is returned as a part of the HTTPS response. 


Consider the following query:


SELECT country, city FROM location;


An attacker can use the following statement as a union injection: 


UNION SELECT username, password FROM users;


This returns the combined results from location and users tables and the attacker can access all the usernames and passwords. 

Inferential SQLi

Also known as Blind SQL injections, inferential attacks are also a dangerous type of SQLi attack. The attacker cannot see the result of this attack and no data is transferred through the application. Blind SQLi attacks can be Blind-boolean based or Blind-time based.


Boolean-based injections drive the app to give back a different result based on the query. The HTTPS response changes based on the boolean result (TRUE or FALSE). If the content of the page differs from the page returned during the false condition, the attacker can conclude that SQL injection is effective.


In a time-based attack, the attacker causes a delay in the execution of the queries by sending an SQL command to the server along with the code. The response time of the query shows whether the result is true or false.

Out of Band SQLi

Out-of-band SQL Injection occurs when the outcome of the attacker's actions is received through a different channel. In such cases, the application’s response may not depend on the data returned by the query, database errors or the time taken for response. The attacker can initiate network interactions that are out-of-band for the application. This technique depends on the database server's ability to send DNS or HTTP requests to transfer information to an attacker. Out-of-band SQLi is the least common mode of SQL injection attacks.

How Can You Prevent SQLi Attacks?

Listed below are some steps you can take to minimize the risk of SQL injection attacks on your website or web application:


Input Validation and Data Sanitization

Input validation is the process of evaluating user inputs against a standard input defined in the application/website. You can use parameters, regular expressions, or business logic to validate the inputs. Input validation can either be whitelist validation (positive validation) or blacklist validation (negative validation). This process helps to remove unsanitized statements from the query.

Prepared Statements and Parameterized Statements

Dynamic SQL coding can leave your application/website vulnerable to SQL injection attacks. 

All database queries must be written using prepared statements with parameterized queries. This helps to differentiate between user inputs that could potentially be malicious and the actual code.

Don't Allow Extended URLs

Sometimes attackers leverage long URLs to insert SQL commands. Exploiting these long URLs can also lead to other attacks such as buffer overflows. In order to avoid this, set an appropriate length limit for your URLs.

Least Privilege

To reduce the potential impact of a successful SQL injection attack, reduce the privileges assigned to each database account in your environment. For instance, if an account only requires access to a subset of a table, consider setting up a view that only enables access to that subset of the data and giving the account access to the view rather than the entire table. And don’t give accounts access to create or delete, unless absolutely necessary. Establishing appropriate privilege controls can help minimize the access an attacker may have when they compromise an account.

Conduct Regular Penetration Tests

Regular penetration testing of your databases can expose threats such as XSS, injections, insecure passwords, and unpatched vulnerabilities. It can also determine how good your defenses are against different types of attacks including SQL injections. Additionally, regularly auditing your database for suspicious activity can provide better protection.

Continuously Monitor SQL Statements

For applications that are connected to databases, it is critical to monitor all SQL statements.  It is much easier to spot unauthorized SQL statements and vulnerabilities when you have this visibility.

Don't Include Too Many Details in Error Messages

Attackers can take advantage of error messages to gather information about the database architecture. Using the "RemoteOnly" custom errors mode or its equivalent can ensure that error messages are only displayed in the local system without disclosing all the information to attackers.

Conclusion

SQLi is the most common attack vector today, accounting for more than half of all web application attacks. And because most websites rely on data stored in a database server, a malicious SQL injection attack can be detrimental for your business and customers. Test your IT infrastructure for vulnerabilities including SQLi with Evolve’s Automated Penetration Testing services. Our specialists use years of experience with deep expertise and cutting-edge tools to find security flaws faster than ever before and effectively reduce your risk of being exploited.  Schedule a session with our team to evaluate your SQL security posture right away.

Cybersecurity Project Management

Cybersecurity Project Management

By Threat Intelligence 24 Apr, 2024
In this blog, we're exploring cybersecurity project management and the role it plays in securing a business.

Defense Industry Security Program (DISP): Practical Tips and Best Practices

By Threat Intelligence 19 Apr, 2024
Unlock the secrets to navigating the intricacies of the Defence Industry Security Program (DISP) with confidence. Our expert team offers invaluable insights and tailored support to help you meet DISP's rigorous security assessment requirements.
Threat Modeling

Elevating Security with Threat Modeling

By Threat Intelligence 12 Apr, 2024
In this blog post, we'll explore what threat modeling is all about, why it's important, and how it can prevent cyberattacks.
CVE-2024-3094 Exposes Vulnerabilities in Linux Systems

Security Alert: CVE-2024-3094 Critical Threat in Linux Systems

By Threat Intelligence 04 Apr, 2024
Stay informed about the latest security threat - CVE-2024-3094 represents a supply chain compromise discovered within the latest versions of xz Utils. Read our blog post now for essential insights and mitigation strategies.
Share by: