Web apps are the face of an organization, and so they present a large attack surface for hackers to exploit. According to a report, the attempts against online customers through web app attacks grew 300 percent in 2022. A sizeable chunk of the attacks was attributed to SQL injection, an attack technique that targets data-driven applications.
What is SQL Injection (SQLi)?
SQL injection is a web app attack technique that enables the cybercriminal to inject malicious commands into an existing SQL statement. It is named SQL injection because it targets the web application by injecting SQL queries and statements. By leveraging this flaw, the attacker tries to read and access sensitive information about customers or the organization from the database.
The attacker can also bypass basic security measures to execute SQL statements and queries for adding, modifying, updating, or deleting records in a database. Apart from changing, adding, or deleting the data, the attacker can also pull those credentials from the database and sell them on the dark market.
Example of an SQL injection statement
Let us explore a scenario to see how the SQL injection can happen on an employee database. The code will explore the current employee ID, along with its login. In this scenario, the owner gets uniquely identified through the current employee ID.
string query = "SELECT * FROM logindatabase WHERE owner = "'"
+ employee_ID + "' AND employee_name = '"
+ employee_name.Text + "'";
So, if you fuse both the employee ID and employee name, the query that gets generated is:
SELECT * FROM logindatabase
WHERE owner =
AND employee_name = ;
The flaw that the attackers exploit in performing SQL injection is that the main code utilizes the concept of concatenation that helps combine data. Here, attackers might use a string like 'employee_name' OR 'g' = 'g', where g is the employee’s name and 'g' = 'g' results in a correct condition that evaluates to True. Therefore, the statement returns "True" for all values within the table. The malicious trick ultimately creates the query as:
SELECT * FROM logindatabase
WHERE owner = 'GKR'
AND employee_name = 'name' OR 'g' = 'g';
Since the entire query results in True, the application will give the attacker access to sensitive data.
Types of SQL Injection (SQLi)
We can categorize SQL injection into three different types. These are:
1. Out of band SQLi
In this attack technique, the attacker will not receive any response from the web app using the same communication channel. Rather, it causes the application to transmit data to a remote system that the attacker controls. This attack is possible only if the targeted server has commands enabled to trigger HTTP or DNS requests.
2. Inferential/Blind SQLi
It is a type of SQL injection wherein the HTTP responses do not include the query result or data elements associated with the database. The attacker will deploy the payload to the server and observe its behaviour. It is called "blind" because the attacker cannot witness any data reflected from the database. Boolean and time-based SQL injections are examples of such SQL injection attacks.
3. In-band SQLi
It is the easiest and most common SQL injection attack. Attackers perform this when they use the same communication channel to launch the attack and gather upshots. Error-based and union-based SQL injections are two common examples of it.
Securing web apps from SQL injection attacks
To protect web applications from SQL injection, include input validations by filtering all kinds of user input, especially the SQL queries, before executing them.
Security professionals and developers must implement the principles of least privilege in all user accounts interacting with the database.
The app development team should scan the web app periodically using tools like Acunetix or Nessus.
If you create progressive web apps (PWAs), take security measures by verifying all API functions associated with API schemas.
SQL injection can result in corporate and customer data loss. Such attacks have far-reaching consequences. Therefore, developers must take adequate measures to protect the web application from SQL injection.