The Internet has never been completely safe ever since it’s inception. Today we will be talking about one vulnerability that has already victimized Wikipedia and numerous government and e-commerce websites – SQL Injection or SQLi.
A successful SQL Injection attack can not only spoil the reputation of your company and make customers lose trust in you by breaching confidential data but also create false records and modify records to suit his preferences. You may wonder what will happen if you can only change the account balance against your account number in your bank’ database or increase the number of likes in your social media. If the changes are very subtle it becomes difficult to track even if the company finds out the vulnerability and fixes it.
So how does SQL Injection works? Are all the systems vulnerable? The answer is “YES”. But sometime some of them can be so complex to breach it might take days and lots of algorithms. SQL Injections lets the user run their query on the server DB that is not authorised by the Database Administrator.
SQL Injections can be In-band, Inferential and out-of-band.
In In-band SQLi a single channel of communication is used for both launch attacks and gathering results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. There are two sub-variations of this method:
- Error-based SQLi—the attacker intentionally performs actions that cause the database to produce error messages. The attacker can potentially use the data provided by these error messages to gather information about the stchema of the database such as fields in a table or table names.
- Union-based SQLi—the UNION SQL operator is used to fuse multiple select statements to get a single HTTP response. This response may contain data that can be leveraged by the attacker. In simpler words one can fetch data from the USER table such as username and password even though the intended SQL works on the Products table.
In Inferential SQLi data payloads are sent to the server and the response and behavior of the server is observed to infer its structure. This method is called blind SQLi because the data is not transferred from the website database as response, thus the attacker cannot see information about the attack in-band. There are two sub-variations of this method:
- Boolean—the attacker sends a SQL query to the database prompting the application to return a result. The result will vary depending on whether the query is true or false. Based on the result, the information within the HTTP response will modify or stay unchanged. The attacker can then work out if the message generated a true or false result. If the result is true the query is successfully executed and vice-versa.
- Time-based— the attacker sends a SQL query to the database, which makes the database wait (for a period in seconds) before it can react. The attacker can see from the time the database takes to respond, whether a query is true or false. Based on the result, an HTTP response will be generated instantly or after a waiting period. The attacker can thus work out if the message they used returned true or false, without relying on data from the database. If the query takes longer to execute then the query must have executed without any errors.
The attacker can only carry out this form of attack when certain features are enabled on the database server used by the web application. This form of attack is primarily used as an alternative to the in-band and inferential SQLi techniques.
Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and gather information, or when a server is too slow or unstable for these actions to be performed. These techniques count on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.
To understand how SQL Injection works, let us take the example of a tool shop website. The shop has a huge catalogue and hence offers users a search bar to search for the product they are looking for. The website then returns the result and the corresponding price and description. When you enter the search phrase and click on the search button, the text you entered gets sent to the server. The server then creates a SQL Query with that phrase, for example, if you entered hammer a query “SELECT NAME, DESC, PRICE FROM PRODUCTS WHERE NAME = ” + search_phrase + “;”. This works great as long as the user enters expected phrases for the search_phrase. However, if a user enters something like “HAMMER; DROP PRODUCTS”. Instead of one, two query gets executed. The first one is intentional, while the second is secretly injected and deletes the entire table.
There are several ways to prevent SQL Injection attacks:
- Input Validation: Before running the query, try to find out if the user input contains SQL Elements such as “SELECT” or “;”.
- WAF: Employing a web application firewall takes a lot of responsibility from your shoulder. These firewalls are prepared to check for malicious attacks.
- Parameterized Statements: Parameterized Statements that work with parameters can be used instead of embedding or joining strings to form a query. A placeholder can only store a value of the given type and not an arbitrary SQL fragment. Hence the SQL injection would only be treated as a strange parameter value.
- Permissions: By downgrading the permissions for the DB User used by the web application to execute Queries, malicious query execution such as Dropping Tables, or Writing Invalid Data to The rows can be prevented.