What is SQL Injection ?

sql-injection

What is SQL Injection (SQLi) and How to Prevent It

SQL Injection (SQLi) is a type of an injection assault that makes it conceivable to execute malevolent SQL articulations. These announcements control a database worker behind a web application. Assailants can utilize SQL Injection weaknesses to sidestep application safety efforts. They can circumvent validation and approval of a site page or web application and recover the substance of the whole SQL database. They can likewise utilize SQL Injection to include, alter, and erase records in the database.

A SQL Injection weakness may influence any site or web application that utilizes a SQL database, for example, MySQL, Oracle, SQL Server, or others. Crooks may utilize it to increase unapproved admittance to your delicate data: client data, individual data, proprietary innovations, licensed innovation, and that’s just the beginning. SQL Injection assaults are one of the most established, generally pervasive, and most risky web application weaknesses. The OWASP association (Open Web Application Security Project) records injections in their OWASP Top 10 2017 report as the main danger to web application security.

How and Why Is an SQL Injection Attack Performed

To make a SQL Injection assault, an aggressor should initially discover weak client contributions inside the page or web application. A page or web application that has a SQL Injection weakness uses such client input legitimately in a SQL query. The assailant can make input content. Such substance is frequently called a malevolent payload and is the key aspect of the assault. After the assailant sends this substance, vindictive SQL commands are executed in the database.

SQL is a query language that was intended to oversee data put away in social databases. You can utilize it to get to, change, and erase data. Many web applications and sites store all the data in SQL databases. Sometimes, you can likewise utilize SQL commands to run working framework commands. Consequently, a successful SQL Injection assault can have intense results.

  • Attackers can use SQL Injections to find the credentials of other users in the database. They can then impersonate these users. The impersonated user may be a database administrator with all database privileges.
  • SQL lets you select and output data from the database. An SQL Injection vulnerability could allow the attacker to gain complete access to all data in a database server.
  • SQL also lets you alter data in a database and add new data. For example, in a financial application, an attacker could use SQL Injection to alter balances, void transactions, or transfer money to their account.
  • You can use SQL to delete records from a database, even drop tables. Even if the administrator makes database backups, deletion of data could affect application availability until the database is restored. Also, backups may not cover the most recent data.
  • In some database servers, you can access the operating system using the database server. This may be intentional or accidental. In such case, an attacker could use an SQL Injection as the initial vector and then attack the internal network behind a firewall.

Simple SQL Injection Example

The principal model is exceptionally straightforward. It shows, how an aggressor can utilize a SQL Injection weakness to circumvent application security and verify as the director.

The accompanying content is pseudocode executed on a web server. It is a basic case of confirming with a username and a password. The model database has a table named users with the accompanying columns: username and password.

# Define POST variables
uname = request.POST['username']
passwd = request.POST['password']

# SQL query vulnerable to SQLi
sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’”

# Execute the SQL statement
database.execute(sql)

These input fields are vulnerable to SQL Injection. An attacker could use SQL commands in the input in a way that would alter the SQL statement executed by the database server. For example, they could use a trick involving a single quote and set the passwd field to:

password' OR 1=1

As a result, the database server runs the following SQL query:

SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'

As a result of the OR 1=1 explanation, the WHERE condition restores the primary id from the users table regardless of what the username and password are. The principal client id in a database is frequently the executive. Along these lines, the assailant sidesteps validation as well as increases overseer benefits. They can likewise remark out the remainder of the SQL explanation to control the execution of the SQL query further:

-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite
' OR '1'='1' --
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1' %00
' OR '1'='1' %16

Example of a Union-Based SQL Injection

One of the most common types of SQL Injection uses the UNION operator. It allows the attacker to combine the results of two or more SELECT statements into a single result. The technique is called union-based SQL Injection.

The artist boundary is powerless against SQL Injection. The accompanying payload adjusts the query to search for an inexistent record. It sets the incentive in the URL query string to – 1. Obviously, it could be whatever other worth that doesn’t exist in the database. Be that as it may, a negative worth is a decent conjecture in light of the fact that an identifier in a database is seldom a negative number.

In SQL Injection, the UNION operator is usually used to append a malevolent SQL query to the first query expected to be controlled by the web application. The aftereffect of the infused query will be gotten together with the consequence of the first query. This permits the aggressor to acquire segment esteems from different tables.

How to Prevent an SQL Injection

The main sure approach to forestall SQL Injection assaults is input approval and parametrized inquiries including arranged proclamations. The application code ought to never utilize the info straightforwardly. The designer must purify all information, not just web structure data sources, for example, login structures. They should eliminate potential malignant code components, for example, single statements. It is likewise a smart thought to kill the perceivability of database blunders on your creation destinations. Database mistakes can be utilized with SQL Injection to pick up data about your database.

In the event that you find a SQL Injection weakness, for instance utilizing an Acunetix check, you might be not able to fix it right away. For instance, the weakness might be in open source code. In such cases, you can utilize a web application firewall to purify your information incidentally.

Train and maintain awareness

Step 1: Train and maintain awareness

To keep your web application safe, everyone involved in building the web application must be aware of the risks associated with SQL Injections. You should provide suitable security training to all your developers, QA staff, DevOps, and SysAdmins. You can start by referring them to this page.


Don’t trust any user input

Step 2: Don’t trust any user input

Treat all user input as untrusted. Any user input that is used in an SQL query introduces a risk of an SQL Injection. Treat input from authenticated and/or internal users the same way that you treat public input.


Use whitelists, not blacklists

Step 3: Use whitelists, not blacklists

Don’t filter user input based on blacklists. A clever attacker will almost always find a way to circumvent your blacklist. If possible, verify and filter user input using strict whitelists only.


Adopt the latest technologies

Step 4: Adopt the latest technologies

Older web development technologies don’t have SQLi protection. Use the latest version of the development environment and language and the latest technologies associated with that environment/language. For example, in PHP use PDO instead of MySQLi.


Employ verified mechanisms

Step 5: Employ verified mechanisms

Don’t try to build SQLi protection from scratch. Most modern development technologies can offer you mechanisms to protect against SQLi. Use such mechanisms instead of trying to reinvent the wheel. For example, use parameterized queries or stored procedures.