Like many programming languages, structured query language (SQL) is vulnerable to manipulation and abuse by hackers. SQL is commonly used to query, operate, and administer databases by way of an application. Applications can sometimes be reached from a browser, such as via a web page, a comment or forum section, or an API. When SQL injection is present within an application, SQL queries made by the browser can be modified by hackers to perform actions beyond the scope of the application’s purpose and can lead to a security breach or loss of data. Of course, there are techniques that the application’s developers can use to protect against this specific threat.
This article will focus on what a SQL injection attack is, how it works, and how developers and administrators can protect against this serious threat.
A SQL injection attack is used by bad actors to poison SQL queries with the intent to compromise the backend database of a web application. It’s important to point out that this vulnerability lies in the application, not the database. This means it’s up to the application’s developers to take measures to protect against this threat when building the application so that vulnerabilities are caught before any damage can be done.
Listed at #3 on the OWASP 2021 Top 10, a successful SQL injection attack begins when a hacker enters malicious code into the body of a query via a web application. Due to insecure code practices, the server side of the application is then tricked into passing the injected query to the database, even though by design, it is not supposed to do so. Once the malicious query finds its way to the database, it will be executed as is. Since the role of the database is to execute queries, it will follow orders indiscriminately. This can cause enormous damage that may be hard to undo. The injected query can have capabilities beyond what the application is designed for. It can cause data to be leaked or deleted or offer valuable clues about how the backend database is constructed and what type of content is hidden inside.
As mentioned above, SQL injection occurs in the application itself with the goal of accessing otherwise inaccessible data contained in the backend database. The hacker can use the vulnerability of the application, not a flaw in the database, to carry out the attack.
An SQL exploit can be used to:
Bypass the website’s authentication or authorization protocols to allow the attacker to view sensitive records in the database (credit cards, personal information, etc.)
Retrieve, add, alter, or delete content from the backend database
Gain control of the entire server by accessing the operating system
Execute administrative operations
All SQL injection attacks use attacker-supplied data to alter web application SQL statements, but there are several different ways this can be implemented. Unless the targeted application uses strict input data validation, it remains vulnerable to all of these attacks.
This is a very basic SQL injection where an attacker notes the differences in error messages returned to them. When the hacker examines the error messages, they can decipher many things about the database, including the type of data that is stored inside and how tables and columns are constructed.
This attack occurs when the hacker finds a SQL injection flaw in an application and the results of the query are returned within the application's responses. The UNION keyword can be used to retrieve data from other tables within the database.
Blind SQL injection arises when an application is vulnerable to SQL injection but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. There are two versions of a blind attack:
Boolean - The attacker asks a series of yes-or-no questions to piece together information about the database.
Time-based - The attacker asks the database to take a little longer to respond. This forces it to change the amount of time it takes to run a query, which can confuse the database and cause it to reveal sensitive data.
How the application interacts with the database needs to be carefully planned and maintained by the developer. A developer should be thinking about the lifecycle of an application and build in security safeguards at the outset.
These are pre-built queries where the developer puts user data into the query when it’s executed. Because it gives the database advanced warning of what the query is meant to do, it’s impossible for a hacker to manipulate that function.
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo