SQL injection is a type of web application security vulnerability and attack that occurs when an attacker is able to manipulate an application's SQL (Structured Query Language) statements. It takes advantage of poor input validation or improper construction of SQL queries, allowing the attacker to insert malicious SQL code into the application's database query.
SQL Injection attacks are also called SQLi. SQL stands for 'structured query language' and SQL injection is sometimes abbreviated to SQLi
Impact of SQL injection on your applications
Steal credentials—attackers can obtain credentials via SQLi and then impersonate users and use their privileges. Access databases—attackers can gain access to the sensitive data in database servers. Alter data—attackers can alter or add new data to the accessed database. Delete data—attackers can delete database records or drop entire tables. Lateral movement—attackers can access database servers with operating system privileges, and use these permissions to access other sensitive systems. Types of SQL Injection Attacks
There are several types of SQL injection:
Union-based SQL Injection – Union-based SQL Injection represents the most popular type of SQL injection and uses the UNION statement. The UNION statement represents the combination of two select statements to retrieve data from the database. Error-Based SQL Injection – this method can only be run against MS-SQL Servers. In this attack, the malicious user causes an application to show an error. Usually, you ask the database a question and it returns an error message which also contains the data they asked for. Blind SQL Injection – in this attack, no error messages are received from the database; We extract the data by submitting queries to the database. Blind SQL injections can be divided into boolean-based SQL Injection and time-based SQL Injection. SQLi attacks can also be classified by the method they use to inject data:
SQL injection based on user input – web applications accept inputs through forms, which pass a user’s input to the database for processing. If the web application accepts these inputs without sanitizing them, an attacker can inject malicious SQL statements. SQL injection based on cookies – another approach to SQL injection is modifying cookies to “poison” database queries. Web applications often load cookies and use their data as part of database operations. A malicious user, or malware deployed on a user’s device, could modify cookies, to inject SQL in an unexpected way. SQL injection based on HTTP headers – server variables such HTTP headers can also be used for SQL injection. If a web application accepts inputs from HTTP headers, fake headers containing arbitrary SQL can inject code into the database. Second-order SQL injection – these are possibly the most complex SQL injection attacks, because they may lie dormant for a long period of time. A second-order SQL injection attack delivers poisoned data, which might be considered benign in one context, but is malicious in another context. Even if developers sanitize all application inputs, they could still be vulnerable to this type of attack. Here are few defense mechanisms to avoid these attacks
1. Prepared statements: These are easy to learn and use, and eliminate problem of SQL Injection. They force you to define SQL code, and pass each parameter to the query later, making a strong distinction between code and data
2. Stored Procedures: Stored procedures are similar to prepared statements, only the SQL code for the stored procedure is defined and stored in the database, rather than in the user’s code. In most cases, stored procedures can be as secure as prepared statements, so you can decide which one fits better with your development processes.
There are two cases in which stored procedures are not secure:
The stored procedure includes dynamic SQL generation – this is typically not done in stored procedures, but it can be done, so you must avoid it when creating stored procedures. Otherwise, ensure you validate all inputs. Database owner privileges – in some database setups, the administrator grants database owner permissions to enable stored procedures to run. This means that if an attacker breaches the server, they have full rights to the database. Avoid this by creating a custom role that allows storage procedures only the level of access they need. 3. Allow-list Input Validation: This is another strong measure that can defend against SQL injection. The idea of allow-list validation is that user inputs are validated against a closed list of known legal values.
4. Escaping All User-Supplied Input: Escaping means to add an escape character that instructs the code to ignore certain control characters, evaluating them as text and not as code.
