- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
A SQL injection attack consists of the "injection" of a SQL query via the input data from the client to the application, inserting malicious code into strings that are later passed to an instance of SQL Server for parsing and execution. Successful SQL injections exploit can read sensitive data from the database, modify database data, execute admin operations on the database, recover the content of a given file present on the DBMS file system, and in some cases issue commands to the operating system.
SQL Injection allows attackers to find the credentials of other users, spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
SQL injection attacks enable attackers to tamper with, delete or steal sensitive data from corporate databases.
SQL injection can be detected manually by using a systematic set of tests against every entry point of the application.
Error-based SQL injection is a technique where an attacker attempts to insert malicious syntax into given input fields in order to generate some error regarding the SQL syntax or database.
Errors frequently include the version of SQL, and snippets of code from the query, which can provide an attacker with useful database information to assist them in targeting their attacks (such as table/column names, no. of columns in the table).
Blind SQL injection is an indirect technique where the attacker attempts to inject SQL queries blindly to manipulate the database, and identify differences in the output based on the behaviour of the application (as opposed to errors or reflection in the source with error-based SQL injection).
Common injection methods include inserting
math or concatenation statements, and
payloads which trigger time delays.
Automation tools (such as SQLMAP) exist for this type of attack which enable a malicious user to map out the database structure and extract sensitive information from the database server.
In principle, SQL injection vulnerabilities can occur at any location within different query types. The most common locations where SQL injection arises are:
In order to prevent SQL injection attacks it is important to ensure that user-supplied data can never be used to alter the nature of SQL queries executed against the database.
Parameterizedstatements(also known aspreparedstatements) are the most secure method of prevention against SQL injection attacks. By using placeholders instead of the actual values provided by the user, a parameterized query is compiled prior to execution, so the user input data is always interpreted as a simple string and not as part of the statement.
When parameterization is not possible (depending on the database),all user input should be properlycanonicalized,validatedandencodedbefore being processed within the target SQL statement.
Stored proceduresconsist of a batch of SQL queries that are stored in the database and are pre-compiled before execution (similar to parameterized statements). Whilst they are often effective in lowering the risk of SQL injection attacks, stored procedures are not always safe and can still pose a risk depending on the implementation. For instance, if stored procedures are used to construct and execute dynamic SQL statements on the server.
To minimize the potential damage of a successful SQL injection attack,limit user accountprivilegesassociated to every database account, and avoid assigning admin-level access rights to an account where possible.
SQL injection attacks enable attackers to tamper with, delete or steal sensitive data from corporate databases. Watch this webinar where experts from Threat Research Center discuss SQL injection attacks and how to best defend against them.