Even as hacking techniques become more advanced and new attack vectors become available for malicious actors, some old methods are still as effective as ever.
SQL injection is one such technique that has been used by cybercriminals for decades. So much so that SQL injections regularly feature in the Open Web Application Security Project (OWASP) Top 10 web vulnerabilities. In fact, around 1162 cybersecurity vulnerabilities with the type “SQL injections” have been accepted as a CVE (Common Vulnerabilities and Exposures), a system for documenting publicly known information-security vulnerabilities.
What Is SQL Injection?
SQL injection is a common technique used in cyber attacks where an attacker enters malicious code to access data in a database that may otherwise have been restricted.
SQL is a structured query language used to access and manipulate databases through commands known as SQL queries. SQL injection attacks involve the insertion of an SQL command or query string through a user input validation method such as a web form on a webpage.
An SQL Injection vulnerability can affect applications that rely on SQL databases such as MySQL, Oracle, SQL Server, or others. Through SQL injection, attackers are able to bypass application security measures and circumvent authentication processes to gain unauthorized access to databases.
For example, they could access confidential company documents, data of users, customer data and other sensitive information without permission. Hackers may also be able to modify or delete the data, carry out administration operations on the database and shut down the database management system. They may even execute commands to the underlying SQL server or even the operating system, causing serious damages to a business.
How Does a SQL Injection Attack Work?
SQL injection attacks work by injecting SQL commands into user input fields to execute specific commands on the database. Based on the response to these database queries, an attacker is able to understand the database architecture and access restricted information from within an application.
For example, a hacker may perform SQL injection to retrieve data from an application using statements that are always true, such as “1=1”. Since this statement is always true, the query string will return a response with the details of a table.
Attackers may also use Batched SQL injection in which a set of SQL statements separated by semicolons like “105; DROP TABLE Supplier”. Here the statement after the semicolon will delete the supplier table from the application database.
SQL Injection Attack Risks – How Dangerous Are They?
The danger with SQL injection attacks lies in the ability for hackers to access unauthorized data. And when this data relates to sensitive data such as passwords, credit card details or personally identifiable information of users or customers, attackers can inflict serious financial and reputational damage on a business. Sometimes, SQL injection attacks can also give attackers a long-term access into an organization’s system without getting noticed.
There have been numerous high-profile data breaches in the past that used SQL injection. For example, the GhostShell attack from APT group in 2013 used SQL injection to steal and publish 36,000 personal records of students and staff at 53 universities. And in the same year, another group RedHack collective used SQL injection to breach the Turkish government web page and erase debt to government agencies.
Types of SQL Injection Attacks
Based on the methods used to access the databases, the types of SQL injection attacks can be classified into a few categories.
In-band SQLi (Classic):
This is a common type of SQLi attack where the attacker uses the same channel of communication for launching attacks and retrieving results. This could be Error-based, where database error messages that reveal information about the structure of the database, or Union-based SQLi, which fuses multiple select statements to get a single HTTP response containing data that can be leveraged by the attacker.
Inferential SQLi (Blind)
In these types of SQLi attacks, the attacker observes the behavior patterns of the server based on data payloads sent, to learn more about its structure. Blind SQL injections could be Boolean SQL injection attacks which prompts the application to return a result that will vary depending on whether the query is true or false, or Time-based, in which an SQL command makes the database wait before it can react. Based on this waiting time, the attacker can know whether a query is true or false.
Out-of-band SQLi attack is used by attackers as an alternative to the other two methods, when the same channel can’t be used to attack and retrieve information or when the SQL server is too slow. This type of attack depends on specific features to be enabled on the database server used by the application.
SQL Injection Examples
There are a number of ways in which hackers can exploit SQL injection vulnerabilities. Depending on what the attacker is looking for and the type of info that may be available in a database, SQL injection examples generally fall into the following types:
- To retrieve hidden data: Attacks where SQL queries are modified to display hidden results such as unreleased products in a shopping website.
- To subvert application logic: This involves interfering with an application’s logic by modifying a query string. For example, logging in as a user without entering a password by commenting out the party of the query which checks for the password to be true.
- To examine the database: Attacks where information about the database is retrieved including the structure and version as well as the tables themselves.
- UNION-based SQL injection to retrieve additional tables: These are attacks where an attacker appends the results of an original legitimate query with an additional query using a keyword like UNION select to retrieve data from other tables within the SQL database that may be sensitive
How CDNetworks Protects You From SQL Attacks
In most cases, SQL injection attacks can be prevented by using parameterized queries or prepared statements in the SQL code. These involve rewriting the code in a way that prevents the user input from interfering with the query structure.
One of the ways to protect your business against SQL injection attacks is through the use of a web application firewall (WAF). A WAF monitors the traffic which flows in and out of an app and blocks malicious traffic based on a set of customizable web security rules. Vulnerability scanning tools can also go a long way in detecting weaknesses in your application and SQL database that can be exploited by attackers for successful SQL injection.
CDNetworks provides businesses with Application Shield, a cloud-based solution that integrates Web Application Firewall (WAF) among other security features. It comes with over 1000 built-in WAF protection rules of which 200 are specific to SQL injection attacks, allowing you to tighten your defense against these types of threats. At the same time, new WAF rules are also being added to deal with the evolution of SQL attacks and to be ready to thwart new techniques in the future.