One Of The Most Important Web Vulnerability: SQL Injection
If you're not familiar with SQL injection, now is a good time to learn about it. In this article, we'll explain what SQL injection is, how it works, some of its techniques, and how you can protect your applications from it. We'll also take a look at some real-world examples of SQL injection attacks. So if you're interested in learning more about this dangerous vulnerability, keep reading!
What is SQL?
SQL stands for Structured Query Language which is a language that allows users to interact with and change data in a database. The official standard for SQL was created by the American National Standards Institution (ANSI). SQL statements can be used to retrieve data from a database table or perform changes to existing tables. It is commonly used in many web applications to add, delete, modify and display data.
Examples of SQL commands:
SELECT * FROM TestTable WHERE Name = 'John' AND BirthDate < CURRENT_DATE; --Returns all rows from table test table where name equals john and birthdate is less than today's date
UPDATE Students SET Enrollment_Date = Date(15, 8, 2015) WHERE StudentID = 3; -- Changes the enrollment date of student 3 to August 15th, 2015
DELETE FROM Students WHERE StudentID IN (1, 2); -- Deletes all student informations with studentID of 1 and 2.
What is SQL Injection Vulnerability?
SQL Injection is one of the most common vulnerabilities on a web application. It was included in Injection, the most common web vulnerability in the first line of OWASP 2017:Top 10. And, it still remains as one of the most common vulnerabilities in the 3rd line after four years, in OWASP Top10:2021 Vulnerabilities. This happens when an attacker injects malicious SQL query into input fields on a web page in order to execute unintended SQL commands.
A common way to gain unauthorized access to web applications is by exploiting SQL injection vulnerabilities. SQL Injection still occurs because of the mistakes that are made by the developers. An attacker, who realizes an SQL injection, can trigger much more dangerous vulnerabilities like remote code execution using SQL injection.
When websites don't properly validate user inputs before passing it along to backend databases, hackers can supply malicious code via input fields for interaction with other users' sensitive information, such as login credentials. This allows attackers who successfully carry out SQL injections to gain full control over poorly protected databases and their data including credit card information, usernames and passwords, etc.
Attackers primarily take advantage of SQL injections to alter existing SQL queries that are executed by a web application against a database server in order to either extract or modify sensitive SQL data. This is done through the SQL-client/SQL-server software by sending crafted SQL statements via malicious client requests to the SQL-server instance. Attackers can do this by injecting SQL injection code into input fields. When the SQL statements are passed from the client side app through these entry fields and sent back to backend databases for parsing, any injected SQL commands will be parsed together with these legitimate ones, resulting in non-intended behavior of the backend dbms.
Generally, SQL injection attacks can be used to gain unauthorized access to SQL databases, execute SQL statements on behalf of the authenticated users or even delete records in SQL databases.
Types of SQL Injection Vulnerability
There are several subcategories of SQL injection according to their triggering techniques that attackers use to exploit SQL vulnerabilities in applications and websites including boolean-based blind SQL injection, time-based blind SQL injection, error-based SQL injection and union based SQL injection,etc.
- Error-based SQL injections cause errors while running payload and database queries that are sent to the targeted systems. These errors are shown in the headers or body sections of the returned responses. This technique is based upon web applications' incorrect handling of invalid user input before it's passed to backend databases. When an application fails to check or sanitize certain types of SQL injection attacks through the affected SQL queries, attackers use error messages that return from web applications to inject their own malicious SQL commands into the original query.
- Boolean-based SQL injections inject different SQL queries depending on whether a condition is true or false. Attackers get the sensitive data according to whether the response is true or false.
- Time-based blind SQL injections exploit differences in web apps' response time when the request changes. The idea behind this technique is that if you change your request to the SQL database, you might see different SQL response times that expose SQL vulnerabilities.
- Union-based SQL injections allows attackers to run malicious SQL query along with the original query from the application. This technique is called union-based because when an SQL injection is exploited with this technique, application would run both the real SQL query and the SQL query sent by the attacker combined (like select col1, col2 from table union select col1, col2 from other_table).
Protect Yourself from SQL Injection Vulnerability
To avoid SQL injections, you should check your systems regularly. To do it, you can scan your applications using our most common SQL Injection Vulnerability Scanner for free:
SQL Injection might occur in various applications and we cover most of them in our set of SQL Injection Scanning Tools. You can scan for vulnerabilities according to your application using the appropriate one for your application in specific. Please let us know if you think we don’t have the one you’re looking for so we can offer that for you, too!
According to scan’s output, if any vulnerability is found, you should use parameterized queries (prepared statements) for all interactive communication with SQL databases. Connection strings provided via configuration files or other means must only accept valid input parameters that are included in the list of expected values; all other input is rejected as malformed(white-listing). In addition, while making a database connection, the principle of least privileges should be applied. The connection shouldn’t be provided by giving unlimited access to the unnecessary places.
So, if you're not sure what SQL injection is or how it works, now's the time to find out. Even though OWASP has been reporting on this vulnerability for quite some time and many people are aware of its dangers, there are still plenty who have never heard about it before. If your web application needs protection from SQL injections, request a pentest from our cybersecurity experts today!