Which of the following is exploited by an SQL injection to give the attacker access to a database?

‍

An SQL injection is a technique used by hackers to gain access to a website or online database. SQL injections target vulnerable web applications by entering a string of malicious code into an input query on a website. 

Using an SQL injection (Also abbreviated as SQLi) an external party can manipulate the code within a website to gain access to sensitive data or execute a malicious command. This can be catastrophic for websites and businesses since an outside party will be able to seize consumer data, private credentials or personal intellectual property.

Due to the nature of how the SQL programming language works, an SQL injection can be used to target any web application that uses an SQL database. Some commonly used databases are Oracle, SQLServer and MySQL.

It is of paramount importance for every website to ensure they have measures in place to protect them from an SQL injection vulnerability. This vulnerability is one of the most common and widely exploited security weaknesses. It is one of the top 10 web application security threats published by OWASP. The risk of SQL injection attacks has grown tremendously in the past decade.  Due to the advent of automated tools for executing SQL injections, it is now more likely for an enterprise to be a target of such attacks.

How does an SQL injection work?

An SQL works as an input query, with the goal of performing a specific action on a database. This command could be a request for retrieving information, executing a function or deleting information. The nature of the SQL query will depend on what the hacker is trying to accomplish.

For example: if you have an input form on your website where users can input their username and a hacker is successfully able to execute an SQL injection, it will execute a command like displaying a list of user ID’s in your database. This is obviously a critical threat to any website. 

The first step of an SQL injection is an attempt to understand how a database works. In order to do this, a hacker will first submit random input to see the response of the server. Once this information has been obtained, the hacker will attempt to input an SQL query that will be interpreted as a command. If this is successful, the hacker will be able to access the data they need and potentially even infiltrate an entire system.

What Are the Different Types of SQL injection Attacks?

There are a few different types of SQL injection attacks.

In-Band SQL injection attack

An in-band SQL injection is the most common form of SQL injection attack. It is a method where hackers use the same band/channel to launch an SQL query in the database server and collect sensitive data. There are two types of In-Band SQL injection attacks:

Union-based SQL injection: This variant uses statements which target the "Union" function in SQL code. As a result, multiple SQL queries get displayed as one result. Such malicious sql statements

Error-based SQL Injection: An error-based SQL injection manipulates SQL databases into producing an error message which reveals all information present within the database. This could be sensitive data, access information, etc.

Out-of-band SQL Injection Attack

An out-of-band SQL injection attack exploits HTTP requests to retrieve sensitive data. A hacker will input parameterized queries to obtain their desired information from a domain name system (DNS.) This type of SQL injection attack is usually reserved for instances where an in-band SQL injection attack can't be performed.

Inferential SQL Injection

This type of SQLi involves sending data payloads to monitor a database's response, but the caveat is that they are unable to actually see what is happening inside the SQL database. This is also known as a blind SQL injection and functions more on a "trial-and-error" methodology with calculated guesswork to craft an SQL statement. Based on responses obtained from the database, the outside party is then able to adjust its strategy.

An inferential SQL injection can either be time-based or a boolean string query.

• A time-based SQL injection includes a response period parameter whereby a result needs to be displayed.
• A boolean string query uses true or false statements to retrieve information. These forms of blind SQL injections are simple SQL statements to assess the inner working of database systems.

What are Some Real-Life Examples of SQL Injection Attacks?

No one is safe from SQLi attacks, therefore proper security measures are critical. There have been multiple cases of SQL injection attacks performed on giant companies which have even led to complete data breaches. Some notable examples are given below:

• Epic Games (creators of Fortnite) infamously had their forums hacked in 2016. This led to nearly a millionuser accounts being leaked. SQL injections were the weapon of choice for the hackers since it allowed them to gain access to key user data.
• Qatar National Bank was prey to an SQLi in 2016 as well. Over 1.5GB of sensitive data was leaked and contained information involving the country's ruling family, religious leaders and high profile politicians around the world.
• 7-Eleven suffered millions of dollars in losses after hackers infiltrated their corporate systems. The malicious entities used SQL injection attacks to retrieve data of users and steal credit card information.

What Does an SQL Injection Look Like? (Code Examples)

Here is a simple example of an SQL Injection attack. It illustrates how an external party can gain administrator access in an unsecured database.

In our simple example, the hacker attempts to authenticate themselves with a username and password. The hypothetical database in this example has a table of users with two columns containing their username and password.

# Define POST variablesuname = request.POST['heyhackuser']passwd = request.POST['heyhackpass']

# SQL query vulnerable to SQLisql = “SELECT id FROM users WHERE heyhackuser=’” + uname + “’ AND heyhackpass=’” + passwd + “’”

# Execute the SQL statementdatabase.execute(sql)

Since these fields require user input, they are vulnerable to an SQL injection. If a hacker were to alter the SQL statement executed in the database with a malicious query, they could potentially retrieve all data.

For example, check out this input in the password field. It may seem like a short and simple input, but it is actually malicious SQL code.

password' OR 1=1

If the above query string is entered into the SQL server, the database will run the following query:

SELECT id FROM users WHERE heyhackuser='heyhackuser' AND heyhackpass='heyhackpass' OR 1=1'

Because the statement "OR 1=1" is always true, the WHERE clause returns the first id from the users table no matter what the username and password are.

Usually, the first user ID in a database is the administrator. In this way, the attacker not only bypasses authentication but also gains administrator privileges. Whats even worse is that they can control the database even further by executing the following command:

-- Oracle, PostgreSQL, MySQL, MSSQL, SQLite

' OR '1'='1' --

' OR '1'='1' /*

-- MySQL

' OR '1'='1' #

-- Access (using null characters)

' OR '1'='1' %00' OR '1'='1' %16

How Can You Prevent an SQL injection Attack?

An SQL injection attack can have catastrophic consequences for a business. It can cause irreparable damage and loss of critical data. To combat this issue, it is important to detect and prevent this vulnerability proactively.

A Web Application Firewall (WAF) is commonly used as the first line of defence to filter out SQL injections. Web application firewalls are updated to contain attack signatures of malicious SQL queries and flag any suspicious activity. 

However, there are a few practices that a business can follow to ensure complete security against SQL injections: 

Implement security measures around user input

If there is any form of user input provided in an SQL query it increases the probability of an SQL injection. To combat this issue, the best solution is to have security measures which limit user input or disallow certain types of input.

Whitelist, don’t blacklist

If your WAF or security system works on a blacklisting system, it is relatively easier for hackers to bypass it. If you have a whitelist where only authorized IP addresses are allowed to communicate with your web apps, it drastically reduces the probability of an SQLi.

Educate your employees 

System admins, development teams and DevOps teams must receive adequate training to understand how to prevent SQL injection attacks in web applications. 

Deploy proven defense methods 

The best way to protect your web applications against SQL injection attacks is by using proven and time-tested solutions. These include input validation, parameterized queries, and penetration testing. 

Perform regular system updates

Old technology is easier to break into because hackers get increasingly sophisticated over time. Older tech is unlikely to even have SQLi protection measures in the first place!

If your infrastructure heavily relies on older programming languages or syntax it is a good idea to update to newer technology. Having an up-to-date tech stack will provide the best security possible since it would likely have patched any flaws found in earlier versions.

‍

Code Examples to Prevent an SQL Injection Attack

Parameterized queries or prepared statements can be used to protect against an SQLi Attack.

Here is an example of vulnerable code that can be susceptible to SQL injection because the user input is concatenated in the query string:

String query = "SELECT * FROM products WHERE category = '"+ input + "'"; Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery(query);

Here is how you can re-write this code to prevent any possibility of user input from interfering with the structure of the query:

PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE category = ?"); statement.setString(1, input); ResultSet resultSet = statement.executeQuery();

Parameterized queries can be written in any place where untrusted input may appear as data within a query string. This includes the "WHERE" clause and values in an UPDATE or INSERT statement.

However, they can't be used as a preventative measure for the ORDER BY clause or untrusted input in other parts of the query (such as table or column names.) White-listing permitted input values would be required in those instances.

Heyhack tip: The string that is used in the query must always be a hard-coded constant! That is the only way a parameterized query will be effective in preventing SQL injection. It must never contain any variable data from any origin.

It may be tempting, but do not not decide case-by-case whether an item of data is trusted. It is a common occurence for companies to make mistakes about the possible origin of data, or for changes in other code to violate assumptions about what data is tainted.

Preventing SQL Injection Attacks with Heyhack

SQL injection attacks are part of the OWASP list of top 10 vulnerabilities for web applications, which further emphasizes their severity. How would you know if you have any gaps in your website security that may be susceptible to an SQL Injection attack? Heyhack's test suite scans your website for all potential threats and even offers detailed reports and solutions to help you patch any flaws.

A penetration test is a proactive way of ensuring that your digital infrastructure is not vulnerable to an SQL injection. Automated pen-testing is a reliable, cost-effective and fast way to bolster your web app security. If you are a SaaS company (or any company which handles user data) you can benefit tremendously from investing in a penetration testing solution.

Scan your web application with Heyhack, absolutely free–click here.

‍

What does a SQL injection attack exploit?

What type of attack is an SQL injection attack?

Which of the following are the cause of SQL injection attack?