SQL Injection Guide

September 1, 2020 | 4 min read

BlueVoyant

Structured Query Language, or SQL, is used to communicate with a database. These statements control a database server behind a web application. SQL is like the blueprint of a database, and from this database information SQL statements are used to update or retrieve data. An SQL Injection (SQLi) is a type of injection attack that executes malevolent SQL statements. SQLi can be used to bypass security measures – this means they can get around authentication and authorization of a web page/application and retrieve the content in its entirety. SQL Injections can also add, modify and/or delete data in the database, wreaking havoc for anyone attacked.

How Do SQLi Attacks Work?

To perform a successful SQL injection attack, vulnerable user inputs (for instance, an unprotected interface requiring the user to directly enter a SQL query) must be found in a web page or application. The attacker creates input contact as a vital part of the attack, and these malicious SQL commands are executed in the database.

Different Types of SQL Injections

There are three categories of SQL injections. These categories classify SQLi types based on methods used and damage probabilities.

In-Band SQLi

The cyber criminal uses the same channel of communication to launch an attack and gather results. It is simple, efficient, and the most common type used.

Error-Based SQLi

The attacker performs actions that make the database produce error messages. This information gives the attacker insight on how the database is structured. The error messages return full query results and expose confidential information from the database. This method can be used to identify weaknesses in a website/application and the information can be used to restructure further malicious queries.

UNION-Based SQLi

Taking advantage of the UNION SQL operator, the attacker uses data generated by this response as leverage. The UNION SQL operator takes multiple select statements generated by the database to get a single response. This technique can be used by attackers to extract data by extending the results from the original query.

Inferential (Blind) SQLi

This is a harder, more sophisticated task. It is called a blind SQLi because data is not transferred from the database directly to the attacker, and the attacker can’t see information from the attack in-band (using the same channel of communication). These blind injections are used when generic error messages are received from the target of the attack. They also gather data based on the response time from the server in time-based attacks. By sending various queries to the database, the attacker learns by observing the response and behavior of the server. These are slower in execution but have the potential to be just as harmful.

Boolean Attacks

Inferential SQLis are different from normal SQLis in that they query the database for true or false questions and determine the answer based on the response. This attack uses the process of elimination to extract information from the database. By overwriting logic and conditions of the query, this attack can be used in permission or authentication queries to trick the database into thinking they have elevated permissions of the correct credentials.

Time-Based Attacks

The attacker sends a SQL query to the database, which causes the server to wait a few seconds before responding. Based on the time it takes the server to respond (instantly or after a waiting period), the attacker can determine if the message used was returned true or false.

Out-of-Band SQLi

This attack can only be performed when certain features are enabled on the database server used by the web application. The criminal may resort to this method if they can’t use the same channel to launch an attack and gather information, or when a server is too slow or unstable. An out-of-band attack relies on the capacity of the server to generate DNS or HTTP requests to transfer data. This is normally used as an alternative to in-band and blind attacks.

Preventing an SQL Injection Attack

Do:

  1. Educate: Everyone involved in a web build to should know the dangers of SQL Injection Attacks
  2. Use whitelists and not blacklists: Apply filters on user input allowed, rather than banned, activities, as a smart attacker will find a way to get around a blacklist
  3. Use the latest technologies: These will have the latest version of SQLi protection
  4. Scan: Employ web vulnerability scanners on every web application build
  5. Use prepared statements: Also known as parameterized queries. Using strings or links in a query leaves code vulnerable
  6. Use input validation: This is the practice of code writing that can identify illegitimate user inputs
  7. Use web application firewalls: A firewall can filter out SQLi and other threats
  8. Test for vulnerabilities: Routinely test applications using static and dynamic testing
  9. Mitigate: Reduce vulnerabilities by setting permissions on privilege and credential – have the minimum rights that the application needs

Don't:

  1. Trust all user input (internal and public): In an SQL query, as any input introduces a threat or risk of an injection
  2. Start from scratch: Most modern development technologies have mechanisms to protect against SQLis

Unauthorized access to sensitive information, such as customer information, trade secrets, personal data, intellectual property, and user lists can be devastating to a business. The reach of an SQL injection attack can be escalated to compromise the back end infrastructure or perform a denial-of-service attack. The loss of customer trust when personal information is stolen, cannot be replaced.