Cyber Threats

Everything You Need To Know About SQL Injections

SQL injections remain one of the simplest hacks in the history of cyberattacks, still going strong after 21 years and among the OWASP Top 10 vulnerabilities. In this article, we talk about SQL injection, its methods of prevention, and why it is still effective today.

Mark Anthony FuentesBy: Mark Anthony Fuentes, Nov 18, 2019
TwitterFacebookLinkedIn

In 21 years of existence, SQL injections have claimed too many victims to count, from stealing the personal details of World Health Organization employees, the Wall Street Journal’s data, and even breaching sites belonging to U.S. federal agencies. In 2015, TalkTalk was hacked, and personal details belonging to over 150,000 people were exposed. TalkTalk was found in breach of data protection laws and was fined a record £400,000 fine for its security failings that left it exposed to a SQL injection attack.

With web applications receiving an average of four web attacks a month, it makes sense for organizations to implement basic mitigation measures against SQL injections.

The SQL injection technique is one of the oldest and simplest hacking techniques, so why are organizations still susceptible to these attacks? Let’s dive into how the attack works.

What is an SQL Injection (SQLi)?

SQL, short for Structured Query Language, is a programming language used to manage databases. An SQL injection is a malicious code injection technique that an attacker uses to manipulate the database and obtain more information than they are authorized to. Besides the ability to extract sensitive data, malicious SQL codes can add, modify — or worse — delete records.

How SQL Injections work

SQL commands can typically be injected through an HTML form that requests input from a user. In this scenario, instead of filling in a regular username, email, or password, an attacker will choose to input a malicious SQL statement that will be run on the database.

Attackers that leverage SQL injection attacks lean on one of the following broad techniques to conduct the attack: in-band, blind, and out-of-band.

In-band SQL injections: The most common type of SQL injections as illustrated in the HTML form above, in-band SQL injections are generally used whenever the attacker can rely on the same communication channel to launch the attack and obtain the results. For instance, by interpreting the error message that is reported by the web application, an attacker gets valuable information to further target the database.

Blind SQL injections: Also known sometimes as an inferential attack, blind SQL injections are used when an attacker is unable to obtain results via the web application directly, and instead has to rely on sending payloads to the database and observing how the web application responds to these payloads.

Out-of-band SQL injections: Contingent on the features available on database server used by the web application, out-of-band SQL injections depend on alternative channels to extract data from the server. An attacker using this technique will request that the server transmits data through protocols such as HTTP, DNS, or even email.

Best Practices For Mitigating SQL Injection Attacks

In order to eliminate SQL injection vulnerabilities, it is critical that developers take on a security-first mindset. Known as a Secure Software Development Life Cycle, teams that adopt this practice integrate security controls in all phases of application development.

One such best practice to patch SQL injection vulnerabilities is to preset query semantics in order to block malicious SQL commands. In this approach, teams ensure that queries cannot do more than they are authorized to.

Teams can also implement solutions that sanitize SQL commands and remove malicious code before the web application or server executes the command.

Need Experts?

Some organizations, however, may face challenges resolving these vulnerabilities on their own, especially if they still depend on legacy software that limits security controls. In these cases, it helps to consult a security partner that has experience helping similar organizations mitigate such web application risks.

Mark Anthony Fuentes
By: Mark Anthony Fuentes, Nov 18, 2019

Mark Fuentes has over a decade of experience in the cyber security field highlighted by roles in organizations such as Verizon, The International Monetary Fund, and The United States Department of Homeland Security. Mark is an avid consumer of technology trends and threat intelligence and seeks out new applications of tech and research to combat cyber crime.

TwitterFacebookLinkedIn

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.