In 21 years of existence, SQL injections have claimed too many victims to count, from stealing the personal details of World Health Organization employees, the Wall Street Journal’s data, and even breaching sites belonging to U.S. federal agencies. In 2015, TalkTalk was hacked, and personal details belonging to over 150,000 people were exposed. TalkTalk was found in breach of data protection laws and was fined a record £400,000 fine for its security failings that left it exposed to a SQL injection attack.
With web applications receiving an average of four web attacks a month, it makes sense for organizations to implement basic mitigation measures against SQL injections.
The SQL injection technique is one of the oldest and simplest hacking techniques, so why are organizations still susceptible to these attacks? Let’s dive into how the attack works.
What is an SQL Injection (SQLi)?
SQL, short for Structured Query Language, is a programming language used to manage databases. An SQL injection is a malicious code injection technique that an attacker uses to manipulate the database and obtain more information than they are authorized to. Besides the ability to extract sensitive data, malicious SQL codes can add, modify — or worse — delete records.
How SQL Injections work
SQL commands can typically be injected through an HTML form that requests input from a user. In this scenario, instead of filling in a regular username, email, or password, an attacker will choose to input a malicious SQL statement that will be run on the database.
Attackers that leverage SQL injection attacks lean on one of the following broad techniques to conduct the attack: in-band, blind, and out-of-band.
In-band SQL injections: The most common type of SQL injections as illustrated in the HTML form above, in-band SQL injections are generally used whenever the attacker can rely on the same communication channel to launch the attack and obtain the results. For instance, by interpreting the error message that is reported by the web application, an attacker gets valuable information to further target the database.
Blind SQL injections: Also known sometimes as an inferential attack, blind SQL injections are used when an attacker is unable to obtain results via the web application directly, and instead has to rely on sending payloads to the database and observing how the web application responds to these payloads.
Out-of-band SQL injections: Contingent on the features available on database server used by the web application, out-of-band SQL injections depend on alternative channels to extract data from the server. An attacker using this technique will request that the server transmits data through protocols such as HTTP, DNS, or even email.
Best Practices For Mitigating SQL Injection Attacks
In order to eliminate SQL injection vulnerabilities, it is critical that developers take on a security-first mindset. Known as a Secure Software Development Life Cycle, teams that adopt this practice integrate security controls in all phases of application development.
One such best practice to patch SQL injection vulnerabilities is to preset query semantics in order to block malicious SQL commands. In this approach, teams ensure that queries cannot do more than they are authorized to.
Teams can also implement solutions that sanitize SQL commands and remove malicious code before the web application or server executes the command.
Some organizations, however, may face challenges resolving these vulnerabilities on their own, especially if they still depend on legacy software that limits security controls. In these cases, it helps to consult a security partner that has experience helping similar organizations mitigate such web application risks.