Cyber-attacks are executed in a nearly uncountable amount of ways. One such style of attack is an injection attack (i.e. when an attacker supplies an untrusted input to a program which is the executed). There are many types of injections attacks, however, the most common ones are SQL injection (SQLi) and Cross-site Scripting (XSS). Today we will delve a little deeper on what exactly is a SQLi attack, how it is carried out and how to defend yourself against it.
What is SQLi?
SQL injection (SQLi) is a type of injection attack that allows the execution of malicious SQL statements. This style of attack gives the attacker control over the database server of a website or web application. Certain SQLi vulnerabilities, once exploited, provide attackers with the ability to circumvent application security measures along with authentication and authorization methods. Once in, they can not only retrieve the content of the entire database but also add, modify and delete their records.
This vulnerability can affect any website or application which uses SQL databases (e.g. MySQL, Microsoft SQL, Oracle, Sybase, etc.). A successful SQL injection attack can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. There have been cases of an attacker gaining a persistent backdoor in into an organization’s system, allowing him/her long-term access to the company’s database which would go on unnoticed for large periods of time.
How do I protect my PC?
SQL injection can be detected manually by using a systematic set of tests against every entry point in the application. This typically involves:
- Submitting the single quote character ' and looking for errors or other anomalies.
- Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.
- Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for differences in the application's responses.
- Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond.
- Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.
Once these tests are completed, the detected vulnerabilities must be exterminated. In most instances, SQLi vulnerabilities can be patched simply by using parameterized queries (i.e. prepared statements) instead of string concatenation within the query.