When it comes to attacking software applications, threat actors have a variety of options to choose from. Being easy to implement and potentially one of the most dangerous, SQL injection attacks are, however, their most favorite choice. Between 2017 and 2019, around two-thirds (65.1 % to be precise) of all the attacks on software applications were SQL injection attacks only.
With a magnitude of growth this large, these attacks should concern web-based business owners. And to get on the front foot and come up with ways to mitigate this attack vector, it is necessary to understand it in detail.
What is SQL Injection?
SQL injection or SQLi, as it is commonly called, is a type of code injection technique wherein data-driven applications are attacked by the execution of malicious SQL statements. Generally, these statements control database servers that run at the back end of most of the web apps.
SQL injection vulnerabilities give a pathway to attackers so that they can bypass the available security checkpoints and break into systems. Using typical SQL injection techniques, hackers can not only bypass the authorization and authentication stages of web applications or web pages but also gain access to sensitive data stored on the SQL databases. And as soon as they gain access, they can successfully modify or delete records stored on the target database servers.
When it comes to software applications, SQL injection attacks are one of the oldest and most prevalent cyber threats. The impacts of SQL injection attacks can be devastating. It is due to the scale of their damage that most of the security organizations like OWASP consider them as the number one threat to web application security.
Most of the web pages and applications which rely on traditional SQL databases like Oracle, MySQL, SQL Server are vulnerable to such attacks. As most of the sensitive data, including business information, intellectual property, and critical customer data is stored on these database servers, it becomes imperative to design security measures accordingly.
What are the Types of SQL Injection Attacks?
Now that we know what SQL injection attacks are, it becomes essential to explore the types of SQL injection attacks. In general, SQL injection is categorised into three major classes:
- In-band SQLi
- Inferential SQLi
- Out-of-band SQLi
Let's take a look at each one of them in detail.
1. In-band SQLi
In-band SQLi or classic SQLi, as it is generally called, is the most commonly used and easily exploitable SQL injection attack. As the name suggests, in-band SQLi refers to an attack scenario where a threat actor can launch the attack and steal the database information using the same communication channel. There are two common types of in-band SQLi attacks: error-based SQLi and union-based SQLi.
1 (A). Error-based SQLi
Error-based SQLi is a type of in-band SQL injection technique and the most interesting or rather ridiculous attack types. In this case, the attacker uses the error messages thrown by the database servers to gain information about the database structure. Mostly, hackers can replicate entire databases using only error-based SQL injection attacks. As a safe practice, security experts often advise developers to disable detailed error messages on live web applications to avoid such attacks.
1 (B). Union-based SQLi
Union-based SQL injection is based on the principle of SQL UNION operation. This in-band SQL injection technique unites the results from other tables in the database using two SELECT statements.
2. Inferential SQLi
Inferential or blind SQL injection takes place when the HTTP responses do not contain the required results, and the error messages are not detailed. Unlike in-band SQL injection attacks, inferential SQLi takes a longer duration to exploit.
Moreover, no actual data transfer occurs between the attacker and the web application, and the attacker is also not able to gauge the results of the attack using the same communication channel. Due to limited options, hackers try to reconstruct the entire database by observing the responses and behavior of the target database servers.
Two of the most common blind SQL injection attacks are boolean-based SQLi and time-based SQLi.
2 (A). Boolean-based or Content-based SQLi
Boolean or content-based blind SQLi’s outcome depends on the boolean response received from the database server. When an attacker sends a SQL query to the target database of the web app, it returns a TRUE or FALSE outcome.
As a result of this boolean acknowledgment, the content of the returned HTTP response will fluctuate. Despite receiving no data from the database, the attacker can judge whether the sent payload returned a true or a false. After this step, the attacker would enumerate the entire database character by character, which usually takes a lot of time.
2 (B). Time-based SQLi
Time-based SQLi is almost similar to the content-based injection technique and differs only in the aspect of time. In this type of SQL injection attack, a hacker sends a malicious query to the target database, and a specified amount of time inherently delays the response. This delay in response allows the hacker to assess whether the response to the query was TRUE or FALSE.
3. Out-of-band SQLi
As the name suggests, out-of-band SQL injection attacks occur when the attacker is unable to use the same communication channel to launch the attack and analyze its results. This type of SQL injection is mostly uncommon because it largely depends on features that the attacker can’t easily control.
If the server responses are unstable, attackers use out of band injection techniques as an alternative to inferential time-based SQL injection techniques. In such situations, inferential attacks are not reliable.
In most of the cases, out of band attacks rely on the database server's abilities. The success of the attack depends on the fact of whether the database server can make HTTPS or DNS requests and transfer data to the attacker properly. For example, in the case of Microsoft SQL Server, a command called xp_dirtree can be used by hackers to make controlled DNS requests. Similarly, Oracle's utl_http package can be used to send attacker-controlled HTTP requests.
Related topic- How to Prevent SQL Injection Attacks?
How is SQL Injection Done?
Before diving deeper into how an SQL injection attack can be executed, let’s first talk about a few basic things related to SQL. SQL is a query language that was inherently designed to manage the data that is stored in a relational database. This can be used to access, modify, and delete data on multiple fronts.
Several web applications and websites store all the data within the SQL databases. SQL commands can also be used in some cases to run operating system commands. Hence, a successful SQL injection attack may lead to many serious consequences.
To initiate an SQL injection attack, an attacker needs to find a vulnerable user input within the web application or web page. A web page or web application which consists of an SQL injection vulnerability makes use of such user input directly within the SQL query.
The attacker then creates input content. Often referred to as a malicious payload, such content is a vital part of the attack. Execution of malicious SQL commands takes place after the attacker sends this content. Now let’s talk about a few attack scenarios:
Simple SQL Injection Example
The example shows how an attacker can use an SQL Injection vulnerability to go around application security and authenticate as the administrator.
The following script is pseudocode executed on a web server. It is a simple example of authenticating with a username and a password. The example database has a table named users with the following columns: username and password.
These input fields are vulnerable to SQL Injection. An attacker could use SQL commands in the input in a way that would alter the SQL statement executed by the database server. For example, they could use a trick involving a single quote and set the passwd field to:
password' OR 1=1
As a result, the database server runs the following SQL query:
SELECT id FROM users WHERE username='username' AND password='password' OR 1=1'
Because of the OR 1=1 statement, the WHERE clause returns the first id from the users table no matter what the username and password are. The first user id in a database is very often the administrator. In this way, the attacker not only bypasses authentication but also gains administrator privileges. They can also comment out the rest of the SQL statement to control the execution of the SQL query further:
How SQL Injection Technique can be used to create Data Loss within your organization
- SQL injections can be used by attackers to find the credentials of a different set of users in the database. This information can further be deployed by them to impersonate these users. The user who gets impersonated may be the administrator of the database with all database privileges.
- SQL allows you to alter different sets of data in a database and also consists of the feature of adding new data. Going by example, in a financial application, SQL injection can be used by an attacker to alter balances, void transactions, or transfer money to their account, thereby creating a state of chaos.
- SQL can be used to remove records from databases. It can even be used to drop tables. All these functionalities emerge as potential opportunities for hackers. Once they can execute malicious SQL codes and delete records or tables, even backups won't stabilize the system back to normal.
Despite the backups, deletion will undoubtedly affect the availability of the application. And most commonly, backups don't cover recent data, so the whole application gets affected anyhow.
- In many cases, database servers let users access some functionalities of the underlying operating system as well. If some attacker can launch an SQL injection attack under such a scenario, he/she might gain access to the internal network as well.
What makes SQL injection attacks even more menacing for businesses is the fact that these seemingly simple attacks can cost them not only hefty sums of money but may also lead to a lack of customer trust in the long run. And the fact that so many websites and web apps still face this vulnerability regularly reflects the seriousness of the issue.
The next big question which must come into the minds of web app owners is how to prevent SQL injection? As a relief, the solutions to SQL injection are simple, yet immensely useful. You just have to follow some good security practices from the beginning itself. It might take longer or seem a bit tedious, but surely the rewards will be satisfying.
Here is a wonderful guide by Bobby tables explaining the best practices on how to prevent SQL injection, do check it out.
1. How to Check if my Application is Exposed to SQL Injection Attacks?
A recommended method would be to briefly disable error handling on a test platform in order to display SQL Server and ODBC errors. After that, you can input single quotes into the application and check if it fails. If it fails, then it’s an indication of the corruption of the SQL string and also of poor validation. These two are the renowned hotspots for any application.
Another method to check the code is to try out tools like FxCop which check assemblies and look for database access code where parameterized queries are not used. If you have access to the source code of your application, then you might be able to get all the data access code and verify it. If you find some string being concatenated and going along with the database, then you should be alarmed and replace the code with a query that is parameterized.
Without a doubt, the best method to check for SQL injection is to do a thorough code review. You must take the time to do it or allocate your resources and hire an expert to do it.
2. How can I Develop a Website that has SQL Injection Vulnerabilities?
Yes, you can do that, and thanks to the online community, there is a perfect application to accomplish that. It’s called OWASP Juice Shop.
When it comes to insecure web applications, OWASP Juice Shop is certainly one of the most sophisticated and modern solutions. This contains a vast number of security challenges and vulnerabilities including SQL injection and the users are supposed to exploit the vulnerabilities and check if their security tools are effective against them. In fact, the Juice Shop contains all the vulnerabilities outlined in the OWASP Top Ten and many others.
3. In SQL Injection, why is OR 1=1 Used Instead of OR>1 or OR 2>1?
OR 1=1 is a simple string used to check the validity of the SQL statement. It’s not a strict requirement to use OR 1=1 and other validation strings like 2>1 and 5>3 should also work. However, it is a common practice to use 1=1 as it triggers a protection code. Moreover, a weakly protected code that is vulnerable to SQL injection generally fails the OR 1=1 test.