WHAT ARE SQL INJECTION ATTACKS?
According to a tutorial conducted by PortSwigger’s Web Security Academy “SQL Injection?”, an SQL injection attack is a
“web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database”.
An adversary is able to manipulate the existent vulnerabilities of a website or application in order to make the website or application grant them access to the target’s database of valuable information. Obviously, SQL injection attacks pose a great problem for organizations and users. In this post, we will cover how SQL injection attacks can occur, as well as some examples of these exploits.
CONSEQUENCES OF SQL INJECTION ATTACKS
There are numerous malicious activities that adversaries can do with sensitive information after accessing it via an SQL injection attack, and the consequences for organizations and users can be highly ruinous. Of the numerous possibilities, an adversary can steal sensitive information within an application’s database in order to use it for their personal agenda. This could include using a user’s private credit card, passwords, online credentials, account numbers, etc. for the cybercriminal to pass themselves off as the user (identity theft). An adversary can also choose to sell the “digital lives” of users on the dark web; taking the sensitive information collected and selling it to other adversaries for them to perform an even greater multitude of malicious actions.
Besides stealing, using, or selling the information accessed via SQL injection, an adversary can also modify or change the important information in a database. Changing information in a database can allow adversaries to confuse the authorized database managers, causing them to make wrong decisions with wrong information. In another dangerous aspect, an adversary that changes the database information can mess with a user’s physical existence. For example: An individual who booked their flight to Fiji online (with the information saved in Delta Airline’s web database) finds that they are unable to board their plane because a cybercriminal changed the individual’s flight information. Additionally, adversaries could delete important information or launch a Distributed Denial of Service (DDoS) attack, rendering an entire database from being accessed by authorized personnel.
As demonstrated, there are numerous benefits that cybercriminals can get out of SQL injection attacks. Such attacks can ruin the reputations of organizations and users if sensitive information is leaked to the public, as well as ruin financial and personal livelihoods if sensitive information is damaged, stolen, or sold.
DATABASE LINGO & OPERATIONS
To truly understand how SQL injection attacks happen, it is vital to understand the key definitions of databases and database operations. Most websites and other online services have an underlying database to manage all valuable information saved by users. The most popular database management system is MySQL, which allows parties to manage relational databases.
A relational database simply means a web or application database that holds data relating to other data. An example of relational data includes one product belonging to a category which is a component of another category, such as for Macy’s Department Store online shopping: The product of a Tommy Hilfiger coat is under the category of “Coats”, and the “Coats” category is under the main category of “Women’s fashion”, which is a category of “Shop By Department”.
SQL stands for “Structured Query Language”, and it is the language used to access web or application databases. Writing SQL can allow an SQL operator to perform actions such as retrieving data from the database, updating (or modifying the data) within the database, and deleting data. According to mysqlturorial.org, there are three essential parts of SQL:
Information obtained from mysqltutorial.org
The following is an example of an SQL statement: Imagine that there is a table called People, and in order to collect all information for which the name ‘Hannah’ appears, we would write this SELECT statement to request information from the database:
SELECT * FROM People WHERE First_Name= ‘Hannah’;
The SELECT statement in an SQL message retrieves records from the database according to the specified parameters within the message. The asterisk (*) is used to retrieve all columns within the table. The FROM statement specifies the one or more tables to be queried (information to be requested) and the WHERE statement specifies the rows in which the specified columns (First_Name) hold the specified value (Hannah). The semicolon (;) at the end of the statement ends the statement if there is only one query sent. The result of the query would return all information in the database having to do with the first name “Hannah”.
HOW SQL INJECTION ATTACKS HAPPEN
There are many ways for an attacker to launch an SQL injection attack. According to portswigger.net, the different types of SQL injection attacks include the following:
1. Retrieving data that is hidden
In the SQL injection attack of “retrieving hidden data”, an attacker can easily manipulate the url links of websites in order to see information that they are otherwise unauthorized to see. For example, imagine the given url:
This is a fake url demonstrating that, if a user were to click on the link, they would be able to view the advisory board of the U.S. Department of Defense, which is posted on the main website of the DOD. The url makes an SQL query to retrieve the information on the advisory web page of usdepartmentofdefense.com:
SELECT * FROM team WHERE category= ‘Advisors’ AND released=1
The SQL clause ‘released=1’ is a restriction emplaced for users to view only the senior advisors of the U.S. Department of Defense. Obviously, the DOD would put this restriction in place because they would not want the identities of certain DOD personnel to be made known to the public (for numerous reasons regarding government secrecy).
In terms of an SQL attack, an adversary can edit the url link and replace the rest of the query with ‘--’, which is SQL for a comment:
The SQL query below is then changed to:
SELECT FROM team WHERE category= ‘Advisors’--’ AND released=1
This renders all restrictions (such as released=1) nonexistent, and causes all members of the Department of Defense Advisory to then be visible to the public. With just one simple modification to the url link, the identities of DOD personnel are endangered.
2. Corrupting the application’s logic
When a user enters their username and password into a website or application’s prompt, each time, an SQL query is sent to check the inputted credentials with the platform’s database (where the username and password is saved). If the query returns the matching contents of the input, then the login was effective. If not, then the login is rejected (most times producing an error message).
An adversary can take advantage of the input prompts for websites and applications without having the correct password. Like in the previous example of retrieving data that is hidden, an attacker can use SQL comments ‘--’ to remove the clause of the query asking for a password check. For example: An attacker that enters the username ‘administrator’--’’ or ‘admin--’’with a blank password may sometimes result in the attacker entering another user’s account if that user has the username of “administrator” or “admin” (these usernames are thus highly unsuggested for active use). The comment dashes allow this action to take place by deleting the password clause that comes after the username clause in the SQL statement:
SELECT * FROM customers WHERE username = ‘administrator’ AND password= ‘
3. Retrieving data from other database tables
An adversary is also able to draw data from separate tables in a corrupted database. Attackers are able to do this by using the ‘UNION’ keyword command. The ‘UNION’ keyword allows more than one SELECT query to be executed, adding the results to the original SELECT query line. Depending on the number of columns being returned from the original query and whether the data type of the columns is suitable for a UNION SQL injection attack, an adversary is able to see information belonging to separate tables within a database. The following SELECT statement shows the UNION command in action:
SELECT Bob, Dan * FROM table2 UNION SELECT George, Caroll FROM table3
4. Examining the database
Adversaries know that it is useful to discover more information about the database itself in order to organize even more damaging or intrusive attacks. They can perform numerous SELECT statements to gather information on the database’s version, what tables exist within the database, the columns within tables, and sometimes retrieve full lists of table content within the database. (For more information on this skill, visit portswigger.com).
5. Blind SQL injection vulnerabilities
Blind SQL injection vulnerabilities are events when an application or web platform is vulnerable to SQL injection attacks, but the responses of the SQL query do not return existent errors within the database. Adversaries can exploit blind SQL injection vulnerabilities in several different ways, such as triggering conditional responses, triggering time delays, and OAST techniques (view the details of these attacks on portswigger.net).
HOW TO PREVENT SQL INJECTION ATTACKS
Oftentimes, poor web development techniques are the main cause of SQL injection vulnerabilities. Therefore, it is important for proprietors of web or application platforms to have measures in place for updating their development security, as well as being on a continual outlook for possible SQL injection attacks. The following prevention concepts of SQL injection attacks are described below:
Enlist in a web application vulnerability scanner
It is always essential for individuals and organizations to have a sensible web application vulnerability scanner, (such as BurpSuite, Nessus, Netsparker, etc.) which scans a web application for external security vulnerabilities (including SQL injection attacks).
Perform manual SQL vulnerability tests
Organizations and individuals can also detect SQL injection attacks by performing manual tests. Such tests should be performed at each and every entry point of the application or web platform, and as often as possible. According to portswigger.net, the tests include but are not limiting to:
Information obtained from portswigger.net
Update and patch database applications
In addition to continuously patching and updating your other technology, you should be continuously updating and patching your database applications. Since there are usually security updates included in each application update, it is therefore important to update all of your applications to ensure that the latest security standards are implemented.
Web application firewalls
Having a web application firewall is helpful for filtering through benign and malicious query requests. Firewall parameters can be configured to allow for specific types of requests that you are trying to keep out or certain requests that you want to let pass through. In many ways, firewalls offer an extra layer of protection while being sensible to use.
Do not disclose more information than necessary
In a database architecture, some information is inappropriate to convey because adversaries can learn much about how to exploit databases by viewing error messages. Therefore, be sure to pay close attention to the kind of information that is being disclosed within the conventional error messages that appear.
Continuous monitoring & flaw recognition
Of course, it is always vital to have continuous monitoring of the web or application platform and to enlist personnel to hunt for vulnerabilities in the database framework. Training personnel to analyze code for internal flaws and to recognize external SQL injection attacks can be an effective way to prevent malicious activity.
In conclusion, SQL injection attacks are some of the most common cyber attacks that occur, making up about 65% (two thirds) of web application attacks according to darkreading.com (an information security site). When launched by cybercriminals or the average hacker, SQL injection attacks can have severe consequences for organizations and users alike. The ability for sensitive information to be accessed by any individual who knows how to identify a web or application vulnerability is a frightening fact to accept. Therefore, organizations and individuals who are proprietors of applications or web platforms must be constantly ready to counter such attacks. Among tables and columns of precious information, parties that control web databases must prioritize securing their data.
Portswigger.net Web Security Academy. “SQL Injection”.
MySQLTutorial. “What Is MySQL”.
Indiana University, Knowledge Base. “SQL example statements for retrieving data from a table”.
Medium.com, HaltDos. “What is the DDoS SQL injection attack?”.
eSecurity Planet. “How to Prevent SQL Injection Attacks”. By Paul Rubens.