What is SQL Injection (SQLi) Attack and How to Prevent It
Table of Contents
- By Maria
- May 20, 2022
Cybersecurity is a significant area of focus in technology, regardless of use and industry. Achieving security in applications and across networks is essential for individuals and businesses alike. New threats and attack types emerge regularly, but preventative and response tactics can keep your networks safe. Training staff and ensuring that everyone is aware of cyberattack trends can also serve as an effective strategy in preventing cyberattacks or minimizing the resulting damage.
What is SQL Injection?
Structured Query Language (SQL) is a widely used programming language. SQL is commonly used for database programming to manipulate and manage data. SQL was first introduced in the 1970s and has since served as the go-to language for commercial and open source databases.
When a programming language is around for a long time, its vulnerabilities can become known to hackers and potentially exploited. An SQL injection is a severe cybersecurity attack that involves inserting malicious code into an SQL statement. Hackers use input fields such as search bars or login pages to “inject” their code into the backend database. SQL will then return normally inaccessible data such as personal or financial records.
How Does an SQL Injection Work?
The SQL injection communicates the system's actions that benefit the hackers and hurts its target database. The triggered actions vary from attack to attack, but some everyday SQL injection actions could be:
- Successfully bypassing multi factor-authentication to gain unauthorized access to the database
- Obtaining secure data by breaching safeguards and stealing it
- Deleting data sets entirely
- Changing and corrupting data
- Running outside code
- Gaining root access to the system’s back end
The types of SQL injections that can occur usually fall into three major categories:
- Un-sanitized Input Injection
- Blind SQL Injection
- Out-of-Band SQL Injection
Hackers will often wait and watch the database they target before deciding on a particular SQL injection type. All of these SQL injection types have the potential to seriously, and sometimes irrevocably, damage the systems they attack. A brief explanation of each SQL injection type:
This popular SQL injection pushes data that isn’t correctly sanitized for characters that should be escaped and validated to be the correct and expected type. It uses an existing query to pull additional data.
Blind SQL Injection
This attack type doesn’t reveal data directly from the targeted database but instead closely examines indirect clues from the system’s behavior. A cybercriminal may hone in on the details contained in HTTP responses or blank web pages that may have specific user input. They may also pay attention to how long it takes the database to process user input. This could lead to another SQL injection attack avenue being developed for the attacker.
Time-Based Blind SQL Injection
In a Time-based Blind SQL Injection attack, the attacker sends a malicious SQL query to the application and waits for the application's response. However, instead of seeing the query results directly, the attacker measures the time the server takes to throw back a reply.
By measuring the time it takes for the application to respond, the attacker determines whether the condition in their SQL query is true or false. After repeating this multiple times, the attacker can learn information about the database, such as its structure, table names, or stored values.
Content-Based Blind SQL Injection
Also called Boolean-based SQLis, this tactic inputs malicious SQL queries to compare successful and failed inputs. Attackers send queries attempting to steal users' login credentials. The hacker can slowly enumerate an entire database by examining the difference in responses. Since blind SQLis don't create clear errors, they are well-known for being difficult to detect.
When a hacker cannot achieve their goal in a single, direct query-response attack, they may explore crafting SQL statements that trigger the database system to create a connection to a separate, external server the cybercriminals control. They can then harvest data or even control the behavior of the database. Sometimes, these types of digital attacks are deferred for a later time and get triggered by an action later on. This is what is called a Second-Order Injection.
SQL Injections – an Example
A prevalent conceptual SQL injection example would be when a valid query is manipulated to retrieve additional data, often sensitive in nature. This data ends up in the hands of cybercriminals if the SQL injection is successful and can be used in unauthorized and fraudulent ways. A real-life example of an SQL injection attack was revealed in 2012 by a hacker group called GhostShell. They targeted financial services organizations, consulting firms, academia, law enforcement, and the CIA via an SQL injection attack and leaked over a million user accounts from 100+ websites.
Prominent SQL Injection Attacks
GhostShell targeted financial services organizations, consulting firms, academia, law enforcement, and the CIA via an SQL injection attack and leaked over a million user accounts from 100+ websites. This campaign is one of the largest to date, but there are many others to consider.
Albert Gonzales Attacks
In 2007, a hacker named Albert Gonzales breached 7-Eleven’s servers using a SQL injection attack. He’d done the same to several other companies, including Office Max, Dave & Busters, and Heartland Payment Systems. Gonzales’ attacks stole credit cards and other sensitive customer data from millions of people.
Ironically, most of these attacks were pulled off while Gonzales worked as an undercover informant for the U.S. Secret Service.
The RedHack Attack on Turkey
Protestors in Turkey’s capitol, Ankara, were violently engaged by government forces in the summer of 2013. This prompted “RedHack,” a Turkish activist group, to find vulnerabilities in one of Istanbul’s administrative websites.
The group claimed that the databases could be breached through basic SQL injection and invited citizens to edit records via Twitter. RedHack self-reportedly removed bills owed to the city before the domain was shut down for multiple days.
The Turkish government has allegedly been on the offensive side of SQL injections when hackers acting in the interests of Turkey broke into Greek and Iraqi email services.
HBGary Incorporated Attack
In early 2011, the “Anonymous” group took on HBGary Federal, a security agency hired by the United States government. The attack broke into the professional accounts of the company’s CEO, Aaron Barr, and released countless internal communications. The attack was in response to HBGary’s attempts to discredit Wikileaks and strike out against hacktivism.
Anonymous went through HBG’s custom management system through an SQL injection. Reportedly, the passwords were unsalted and hashed using MD5, which was widely used at the time but has long since become mocked as “cryptographically broken.”
How to Prevent an SQL Injection
If you are exploring how to prevent SQL injection, there are several best practices to help avoid falling victim to this type of cyber-attack. SQL injection prevention can be aided by:
Avoiding Concatenated Strings: Parameterized queries use substitutes for user inputs. Doing so will cause the user inputs to act as values rather than as part of the SQL statement. This takes away control from any hacker attempting to break into the system through injection. Using parameterized queries is a best practice for other programming languages like PHP, Java, and Python as well.
Applying Static Application Security Testing (SAST): This testing checks an application’s source code to pinpoint problems. It’s a form of penetration testing and can be automated with specific programs or done manually by a security professional.
Sanitizing with Whitelisting: If you’ve ever scrolled down the “symbols” section of Microsoft Word, you know there’s a mind-boggling number of them, such as ₾, ₼, and ┐. Blacklisting specific characters will prevent risky characters like semicolons, backslash, and apostrophes, but you’ll likely miss a few of the more obscure ones. It’s better to be slightly more restrictive in your input fields, whitelist acceptable characters, and deny the rest.
Encrypting All Sensitive Data: Encrypting client or company data is a must these days. For most small and medium-sized businesses, data breaches aren’t a matter of “if” but “when.” Encrypting essential documents and databases means that even if a hacker gets through with an SQL injection, they’ll have a much tougher time reading your data.
Limiting Database User Privileges: A database user doesn’t always refer to a person. It can be an application or system process with access to a database’s information. This includes the user-input functions on a website. Give users the lowest possible privileges and split application roles between multiple database users. This creates a chain of actions that gives you numerous points to find and stop a problem.
Avoiding Sharing Database Error Language: Application error language provides valuable information to potential hackers. It describes what is and isn’t acceptable in your input fields and helps them craft a better attack. Use generic error messages that let users know something went wrong, but don’t go into why the input failed in your database systems.
Using a Web Application Firewall (WAF): Firewalls filter out unwanted programs and traffic requests to your server. WAFs have rapid rule implementation and react immediately to new threats. It protects against not only SQL injection, but also cross-site scripting (XSS), cookie poisoning, session hijacking, parameter tampering, and distributed denial of service attacks.
Frequently Updating Applications: You might think that an older language like SQL has been all figured out. However, hackers are constantly looking for new ways in, and outdated security applications can be abused. Don’t let a moment of laziness or inconvenience damage your business.
There is no doubt that SQL injection attacks are common and can be pretty damaging. A lot is known about these attacks, as they have been around for an extended period. This knowledge has provided individuals and organizations with a simple toolkit of strategies to prevent such cyber attacks. By taking necessary precautions, coding carefully, and monitoring databases consistently, you can keep your databases safe.