Currently, there are around 200 million active websites, and very few of them consist solely of the static HTML pages that were so prevalent in the early years of the internet. Most modern sites handle a lot of sensitive data with the help of complex web applications and databases.
Yet, we’re pretty sure we won’t be wrong in saying that many website owners aren’t fully aware of what an SQL Injection (or SQLi) is.
The goal of today’s guide is to fix this.
The State of Cybersecurity
The modern cybersecurity landscape is a pretty complex place. The scope of website attacks is wider than ever, and with more than 60% of the world’s population now on the internet, so is the number of targets.
As a website owner, your number one priority should be the security of your web application. You may want to hear what an organization by the name of OWASP has to say. OWASP stands for Open Web Application Security Project and is an online community of volunteers and experts who specialize in helping website administrators keep their projects well protected.
Every year, OWASP’s experts rank the most prevalent threats admins need to look out for, and for quite a while, code injections have been on the top of that list.
Because of the technology used by most modern websites, SQLi is by far the most popular type of code injection today. According to Akamai, a security company, close to two-thirds of all web application attacks involve SQL injections.
SQLi is certainly not a threat you should underestimate, but what makes it so unique?
What’s an SQL Injection?
When end users interact with a website, they see a collection of text and media files being arranged and displayed on the screen.
A lot more is going on behind the scenes, though.
Based on the user’s input, the web application runs database queries to access the right resources and display the correct content. For example, after you enter your login credentials and hit Sign In, the web application takes your username and password and queries the database to see if they’re correct. If this is the case – you are allowed into your profile.
SQL (short for Structured Query Language) is the programming language that facilitates this communication. The web application uses it to generate database queries based on the user input.
In an SQL injection scenario, an attacker modifies the SQL queries to receive a specific response from the database. Using malicious queries, they can gain unauthorized access to sensitive data or compromise your system integrity.
SQL injection as an attack vector was discovered way back in 1998, yet, according to Acunetix, around 8% of modern websites are still vulnerable to it. The owners of such websites better improve their configuration as a successful SQLi attack can cause a lot of damage.
Unauthorized access to sensitive information like login credentials, payment details, and personal data alone could be catastrophic to any online business. What’s more, a successful SQL injection can open backdoors for facilitating a sophisticated attack against an entire organization.
How do SQL Injections Work?
Unlike other forms of cybercrime, tools for SQL injections aren’t freely available on underground hacking forums and marketplaces. The options for automating the process are very few, and attackers require a relatively high level of technical skills. At the very least, the hacker must understand how SQL queries work.
First, the attackers identify their target. Luckily, because the threat is so well-known, modern web applications usually come with some form of built-in SQLi protection. There are also tools and industry best practices for developers who build websites from scratch.
Unfortunately, lack of standardization and poor patch management mean that SQLi vulnerable websites are still around. Modern-day vulnerability scanners can identify them quickly.
The queries attackers will craft depend on the type of database and the database management system. The next move is to gather some reconnaissance on the target.
Finally, the actual injection is launched. Some SQLi attacks rely on changes in specific HTTP requests, while in other cases, the attackers use web-based forms (e.g., login pages or search bars) to modify the SQL queries.
For example, a hacker can theoretically use a website’s login form to gain administrator privileges without knowing the admin password. Here’s how it works.
Normally, when the administrator logs in, the SQL query the login form generates looks like this:
SELECT * FROM members WHERE username = ‘admin’ AND password = ‘[the admin password]’
If an attacker puts “admin’–” into the username field and leaves the password field empty, the query will look like this:
SELECT * FROM members WHERE username = ‘admin‘–‘ AND password = ”
The ‘– placed immediately after the admin username nullifies the rest of the query, meaning the database won’t check whether there’s anything in the password field at all.
Instead, it will simply log the attacker as administrator, and that’s where the nightmare begins…
Types of SQL Injections
Depending on the results they yield, you can identify several different types of SQL injections:
- SQL injections examining the database – This is often the first step on the attackers’ to-do list after they identify a viable target. They use a crafted SQL query to obtain database-specific information, which helps them during the following stages of the attack.
- SQL injections retrieving hidden data – This type of injection reveals information that would otherwise be inaccessible for the attacker. For example, a single modification of an HTTP request can display unlisted products on an SQLi-vulnerable ecommerce site.
- SQLi UNION attacks – The UNION SQL operator can be used to combine multiple SQL queries under a single statement. As a result, by modifying an SQL query, attackers can make the web application scrape data from parts of the database that would normally remain inaccessible. This may include login credentials.
- SQL injections subverting the application’s logic – The ability to interfere with the web application’s logic opens the door for a diverse range of criminal activity. The password bypass technique we outlined in the previous section is an example of this type of attack.
- Blind SQL injections – Blind SQL injections are much harder to pull off because the SQL query results are not visible in the database’s response. However, attackers with advanced technical skills can use these attacks to trigger out-of-band network interaction and facilitate quick data exfiltration.
What to Do to Prevent an SQL Injection Attack?
SQL injections give hackers the chance to bypass authentication, steal, modify, and corrupt data, run arbitrary code, and even gain access to the server. Usually, the attacks are pretty quick, and admins often don’t realize they’ve been hit until it’s too late.
In other words, you’re much better off taking the necessary steps to prevent an SQLi attack rather than trying to put everything back together after the hackers have already compromised your site.
Different projects require different prevention techniques.
For example, admins who use content management systems (CMS) to build their websites don’t need to manually implement specific anti-SQLi measures. It’s up to the CMS developers to ensure vulnerabilities are timely patched. The only thing website owners need to think about is applying all updates as soon as they’re released.
The job of administrators of custom-coded websites is a bit more challenging. There’s no list of set-and-forget measures that completely eliminate the threat. The exact steps you need to patch a vulnerability depend on things like the programming language you’ve used, the SQL database engine, and the type of SQL vulnerability you’re trying to fix.
Nevertheless, there are a few tips you can follow to keep your website well-protected.
- Perform regular security audits – Vulnerability scanners can detect potential SQLi holes in your site with relative ease, and you have no excuse for not using them. The more frequent the scans – the better the chances of finding and fixing SQLi vulnerabilities before it’s too late.
- Make sure you’re ready for the threat – If you’re a big organization maintaining a large website, everyone, from the QA specialist to the development lead, needs to be aware of the dangers SQL injections pose. Regularly updating your staff on new potential attacks is also key in making sure they take the proper measures.
- Sanitize all inputs – Never use any input directly, regardless of whether it’s coming from an authenticated or public user. Your web application must also have mechanisms that sanitize the requests and remove potential malicious code elements.
- Use tried and tested mechanisms – There are language-specific mechanisms for protecting applications against SQL injections. Do your research and see which ones offer the best protection. Using them instead of manually developing your own security techniques is a much better option.
- Stay informed and use the latest tools – SQLi attacks don’t stop evolving, and neither do the mechanisms we use to protect websites. If you hide your site behind an old piece of technology, you run a serious risk of leaving it vulnerable to the latest in SQL injection attacks.
- Deploy a web application firewall – A web application firewall uses strict rules to examine and filter HTTP exchanges. It blocks requests that display SQLi patterns and is one of the easiest ways of protecting your website against a wide range of web application attacks.
The Role of Your Hosting Provider
SQL injections target web applications – an area that, strictly speaking, is not the priority of the hosting company you’ve chosen. Nevertheless, a good host is more than a mere service provider. It’s a partner helping you keep your online business going, and as such, it will do everything to ensure your site is as well protected as possible.
For example, if your project is based on a CMS, you’ll likely have a one-click installer. In addition to setting up applications like WordPress in seconds, the tool has auto-update features for both the core and the add-ons.
This way, you’re unlikely to miss any critical security patches.
A good host will help you deploy a web application firewall and will also include a monitoring system that scans your entire hosting account for suspicious behavior, informing you the moment it detects something wrong.
Although SQL injections first appeared more than twenty years ago, the threat is still as relevant as ever. In May 2020, the US Department of Justice charged a hacker for using SQL injections to steal thousands of credit card details and other personal information. A few months later, hackers used an SQLi attack to steal more than 8 million records from the online graphic resource site Freepik.
It’s a serious threat, but the good news is, security experts have learned a lot about SQL injections over the years. Based on this knowledge, there are many tools and policies that effectively stop the attacks. It’s up to you to choose the most convenient.
Why do hackers use SQL injections?
SQLi attacks are by far the most popular method for compromising web applications. Over the years, they have proven a robust vector for scraping data, escalating privileges, and, in some cases, gaining control over the target’s underlying server and infrastructure.
How common are SQL injection attacks?
OWASP singles out SQL injections as the most dangerous web application threat, and, according to Akamai, SQLi accounts for two-thirds of all web application attacks. Hackers can determine whether your site is vulnerable to SQL injections with relative ease. The attacks often yield immediate results, making them all the more popular within the cybercrime community.
Why do SQL injections happen?
In an SQL injection attack, hackers take advantage of some websites’ lack of data protection mechanisms. They use standard user inputs to craft malicious SQL queries and elicit an unexpected response from the database, which gives them unauthorized access to the site’s data.
ScalaHosting – Cyber Attack Guide – SQL Injections