What Is SQL Injection (SQLi)

Read it in 6 Mins

Last updated on
05th May, 2021
Published
04th May, 2021
Views
7,413
What Is SQL Injection (SQLi)

In today’s world cyber-attacks are triggered to alter or steal the information of a person or an organization in a huge volume of data. It is very much important to protect the data/database from security related attacks.

SQL Injection

SQL injection is one of the top trending cyber attack techniques recognized by the world’s top non-profit security foundation OWASP (Open Web Application Security Project). SQL injection attacks are made by inserting or injecting the SQL query input from the client end of the application. In this article, we will learn about the SQL injection, types of attacks using SQL injection and preventive steps.  

What is SQL Injection? 

SQL injection attack is used to insert malicious SQL statements into an entry field for execution. This injection technique is the most common web application hacking attack that allows an attacker to get unauthorised access, commit identity spoofing, tamper, take control or destroy your database. This is an attack that is very simple and easy to carry out even for script kiddies.  

Vulnerabilities by Type

As we can see in the above picture, this is the second most common vulnerability that can impact databases. SQL injection flaws occur because of poorly designed web applications that can exploit SQL statements that execute malicious code.  

How SQL injection is used is very much dependent on the intention of the hacker. With unauthorized access to a database server, what can attackers do? Here are some examples: 

  • Download unauthorized data of a person or an organization 
  • Delete/modify data 
  • Permanently destroy data/backups 
  • Add virus to a system 
  • Alter security 
  • Encrypt/steal/alter data and hold it for ransom 
  • Publicly shame an organization via a web or social media hack 
  • Use data to harm business operations 

How does SQL injection work? 

To understand SQL injection, you need to know what SQL is.   

SQL – SQL stands for Structured Query Language. This language is mainly developed for interacting with the relational database. For data manipulation, Query is used to insert data, modify the database, or just to access the required data.

SQL injection work

Image Source

SQL Injection is one of the most vulnerable threats which may exploit the entire database of any private organization or government sector where code is injected in a web page.  

An SQL statement will be altered in a manner which goes with ALWAYS TRUE as constraint. (In simple words 1=1  This will be always true) It allows an attacker to view unauthorized data. This might include data belonging to other users, or any other data that the application itself is able to access. An attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

SQL injection Types

There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:

  • Tautologies – Used to Bypass Authentication

Select * from USERTable where uid=‘xyz’ and pwd =’x’ or ‘5’=’5’;

  • Union – Used to Extract Data. A different dataset is returned from the Database. 
  •  Illegal/Logically Incorrect Queries - Used to Identify injectable parameters. 
  •  Piggybacked Queries - Multiple queries are executed without the knowledge of the user 

which may lead to Database exploitation. Injected queries are added to the normal executable query. 

  • Inference - Different responses from the database are cross checked by changing its behavior. 
  •  Stored procedure - Injection is done to the stored procedure present in the Database.

Common Causes and how to avoid SQL Injection Attack-

  • If we are assuming our application’s code/web forms are well protected against any kind of attack by default, application changes and assumptions that were true in the past or present may not be true in the future and may require additional changes. These assumptions eventually lead to compliance and security auditing failures. 
  • Using unsupported or legacy software/code/tools or features may lead to security holes and there could be chances of delay in catching or fixing such issues. Running patched and upgraded versions of code is critical to avoid security exploits. Continuously monitoring for new security vulnerabilities and reacting as needed is an important step towards avoiding unnecessary surprises. 
  • Reviewing old code is very important, and timely changes in the code are highly recommended as technologies keeps changing. The versions, functions, and extensions require regular upgrades. Older versions or codes are quite vulnerable and might be unable to maintain the integrity of your application. 

How to detect SQL injection vulnerabilities

As a pentester, you can use two techniques to find SQL injection vulnerabilities with high efficiency - manual and automated testing.

Manual Testing 

During application development there are set of tests performed on each level, that help to detect any SQL injection vulnerability, if it exists. 

  • Check with the single ' character ‘ and look for errors or other anomalies.
  •  The tester can add some SQL specific syntax into code that can evaluate the original value of the entry point and other values, and check for different responses by the application.
  •  Another method is to create a Boolean condition, for example “OR 1=1” and “OR 1=2”, and check again to see if the application response is different. 
  •  There are some payloads available that are designed to trigger time delays if executed in SQL query, and you can check if there is any delay in response. 

Automated Testing

There are many good tools and frameworks available in the market. Here is the list of some of the best tools for SQL injection detection. 

  1. SQLMap 
  2. Appsider by Rapid7 
  3. Accunetix 
  4. Wapiti 
  5. Netsparker etc.

How to prevent SQL injection vulnerability? 

To prevent or avoid SQL injection vulnerability, we must first understand why it occurs, and why it is listed as one of the vulnerabilities in the OWASP top 10.  

  • The SQL injection is so easy to perform, that even a script kiddie can make an attempt. 
  •  Another reason is the treasure of critical data that lures the attacker to use SQL injection.  

Below is the vulnerable code for SQL injection where the user input is concatenated directly into the query: 

  • String query = “;SELECT * FROM products WHERE category = ‘";+ input + "’" 
  • Statement statement = connection.createStatement(); 
  • ResultSet resultSet = statement.executeQuery(query); 

Check out the code below that helps to prevents the user input from interfering with the query structure: 

PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE category = ?"); 
statement.setString(1, input); 
ResultSet resultSet = statement.executeQuery(); 

Primary recommendations: 

  1. Use Parameterised queries  
  2. Least Privilege 
  3. Use stored procedures if required 
  4. White listing the input fields 
  5. Avoid displaying detailed error messages that are useful to an attacker. 

It is also important to get patch updates regularly, as every day there are many new vulnerabilities that are found.  

It is also recommended to use a Web Application Firewall to protect your application, which can help you to filter and find malicious data.  

Where Do We Go Next? 

It is very important to identify and mitigate this notorious vulnerability and take immediate actions to keep your systems secureMany skilled attackers are waiting to take advantage of your mistakeslike poor code, so that they can hack into the database. We know this vulnerability is very old but we have to be aware of the outcomes of this type of vulnerability and try to prevent this during the development phaserather than covering up the liability later.  

Profile

KnowledgeHut

Author
KnowledgeHut is an outcome-focused global ed-tech company. We help organizations and professionals unlock excellence through skills development. We offer training solutions under the people and process, data science, full-stack development, cybersecurity, future technologies and digital transformation verticals.