What is SQL Injection (SQLi)? How do you Prevent SQLi Attacks?
Everyone knows of the abundance of risks to running a website today. It seems that every day a new security exploit is created.
Starting from DDoS attacks, to “Man in the Middle” to Phishing and the list goes on and on, however, the number one threat today still remains the same, and it’s called SQLi.
What is SQL Injection (SQLi)?
SQL (Structured Query Language) is a standard database language for creating, maintaining, and retrieving data stored in a relational database. Some of the most popular relational databases include big names like MySQL, Microsoft SQL Server, Oracle Database, IBM Informix, and PostgreSQL among others.
SQL Injection (SQLi) is a code injection technique used by hackers and other malicious users to gain unauthorized access to web databases. It is usually used to gain access to SQL-based databases such as MySQL, Oracle, etc.
It is also a method that can be used to place and execute unauthorized SQL via input forms. It can be further used to extract, modify, or delete records from a database held at the backend of an application or website. Also, SQLi can be used to bypass security measures too, unfortunately.
Since SQL-based databases are most often used to build apps and sites, this attack is possible on most applications and websites. That’s the reason SQL Injection is listed at first rank under “OWASP Top 10” list — The Ten Most Critical Web Application Security Risks per Open Web Application Security Project.
That’s not all, SQL Injection (SQLi) is one of the most critical attacks yet it’s very common to find SQLi bugs in popular apps from trusted providers. For example, it was recently found in WP Google Maps (a plugin used in 400,000 websites), in Oracle E-Business Suite (EBS), and in two popular tools of IBM BigFix.
The question then arises: how to prevent it all together in your application? This post discusses this question along with many more questions related to SQL Injection (SQLi). But first, let’s dive into the details of SQL Injection (SQLi).
An Example of SQL Injection
SQL Injection mostly occurs when a web app or site asks users for an input (say username) and a user — a malicious one — provides an SQL statement in place of the given input. Then, it unknowingly runs the given code (statement) on your database, leading to a devastating accident — a hack or data leak.
For instance, here is an example code, which a website uses to authenticate a user with his credentials. Let’s assume that the website’s database consists of a table named “users”, which have columns named “uname” and “upass”.
<?php /* Below code authenticates a user */ $u_name = $_POST['username']; $u_pass = $_POST['password']; $sql_query = "SELECT * FROM users WHERE uname='".$u_name."' AND upass='".$u_pass"';"; ?>
Of course, this looks like a normal script. However, it supports SQLi since it contains a loophole that allows anyone to authenticate without a password. For example, one can enter “' or 'a'='a'” as the password to trick it. By doing so, the query run by the database server will change it to the following:
<?php $sql_query = "SELECT * FROM users WHERE uname='".$u_name."' AND upass='' or 'a'='a';"; ?>
Since “'a'='a'” is always true, the above-given code will eventually revert all rows from the “users” table. That’s not all that’s possible; this trick can also be used by a hacker to access all data in the database. Also, hackers can even gain admin or root privileges, making it one of the most dangerous vulnerabilities.
Types of SQL Injections (SQLi)
SQL Injection attacks are carried out in multiple ways. An attacker may discover a system’s behavior and then choose a specific attack method to penetrate into your system. You must understand them to prevent SQLi attacks.
Classic SQL Injection
Classic SQLi, also known as In-Band SQLi, is the most common and usable bug among SQL Injections. When the attacker uses the same channel for doing both — attacking and getting his desired results - it’s further categorized as:
- Error-based SQLi - In this technique, a hacker relies on error messages provided by the database to gain information and understand the system. It may or may not be single-handedly enough for a full attack.
- Union-based SQLi - In this method, an attacker takes advantage of the UNION SQL operator to combine multiple statements. Then, it provides a single result, which can provide crucial data about the system.
Blind SQL Injection
Blind SQLi, which is also known as Inferential SQLi, is a technique where the attacker doesn’t see the outcome of his attacks since no data is displayed by the database. Alternatively, the attacker tries to rebuild the database structure by sending payloads and observing the application’s and database’s responses.
Blind SQL Injection is also sub-categorized as the following methods:
- Boolean-based Blind SQLi - In this method, the hacker sends different queries and forces the application to display different results based on the result of the SQL statement being either TRUE or FALSE.
- Time-based Blind SQLi - In this technique, the hacker relies on sending queries that make the database wait for some specific amount of time, which is used to infer whether the result is TRUE or FALSE.
When the attacker can’t perform a query-and-response attack, he opts for Out-of-Band SQLi. This method mostly depends on the activated features of the underlying database. Furthermore, it involves the hacker trying to create an external connection, say a DNS or HTTP request, to his own server.
Impacts of SQL Injection (SQLi)
While exploiting the SQLi bug on a vulnerable website, the impact depends on the rights of the malicious user and the security measures of the particular app or website. Also, there are various things an attacker can do after exploiting such a bug to gain unauthorized access into your system. For example:
- Add, edit, or delete data: A person with access can read or do almost anything with the information present on a database.
- Destabilize the app logic: A hacker can divert the app logic to help his motives — say, login as an admin without the password.
- Retrieve hidden data: An attacker can form a code or logic based on the original script to read hidden data from a database.
- Examine the database: The SQLi bug allows a person to know about the database or system, helping him to plan bigger threats.
These are just some of the possible attacks. The actual impact depends on the capabilities and the knowledge of the hacker. If an attacker is capable, SQL Injection (SQLi) can even lead him to control the whole web server. Since the impact can be daunting, the question arises: how do you prevent SQLi?
SQLi Prevention Techniques
SQLi can be very dangerous for any type of web-based application that relies on a SQL-based database for its operations. That’s why you must opt for preventive measures to minimize the risk of being attacked using SQL Injection.
For example, you can follow the below prevention techniques to protect your application or website against the majority of SQLi attacks:
- Routine patching and testing: You must update your database and web server regularly to patch the latest vulnerabilities. Then, you must do routine testing for discovering new bugs and patching them.
- SQL Prepared Statements: A prepared statement is the database systems’ answer to SQLi. Using a prepared statement, you can specify placeholders for to-be-inserted parameters. Then, you can feed it with data, which it assembles and sanitizes before executing within the statement.
- Principle of Least Privileges: POLP is a security design with the objective of providing the least data, resources, or system privileges for any user to work legitimately. If an attacker gets access to a user account, he will get the bare minimum access and rights to do any major damage.
- Web Application Firewall (WAF): WAF is a firewall for web applications that monitors and sanitizes the incoming traffic. This firewall can identify and restrict attacks using SQLi before it reaches the database.
SQL Injection (SQLi) is one of the most common cyber-attacks, so you must apply preventive measures to avoid an attack on your systems. However, the list of protective measures or techniques is long, thus it’s hard to implement them all in-house, especially if the in-house team lacks necessary security skills or strength. So, what’s the solution?
You can opt for a security solution that packs in numerous tools for providing 360-degree protection to your applications or databases. For example, Imperva’s FlexProtect Plans offers a multitude of features and security tools for protecting both – applications and data.
About the Author:
Cliff is a veteran cybersecurity researcher and analyst with over a decade of experience in the field. He has helped both enterprises and SMBs bolster their security and is currently acting as a consultant for leading organizations.
| sponsored post |