What is a SQL Injection Attack?
SQL Injection is one of the most dangerous hacking techniques. It is a common attack that uses malicious queries for backend database manipulation to access information that is not supposed to be displayed. This information includes personal data such as passwords or personal user information. It results in confidential data are stolen, lost, or deleted and also unauthorized access to systems, accounts, and sensitive data such as passwords, credit card details, or sensitive company data. A successful attack may also result in unauthorized viewing of user lists, the deletion of entire tables.
SQL Injection Tools:
SQLmap, SQLninja, Havij is the tool available to test your own web applications, but also help the attackers to penetrate into your system. SQLmap can be used to penetrate into your own web application to check if your system is secured.
User input in SQL statement:
- SQL Injection Based on 1=1 is Always True:
The purpose of the code is to create a statement to select a user. It is valid and will return ALL rows from the “Users” table, since OR 1=1 is always TRUE.
Select * from Users where UserID=105 OR 1=1;
- SQL Injection Based on “”=”” is Always True:
SELECT * FROM Users WHERE Name =“Hive” AND Pass =“Password”
A hacker can access the user names and passwords by inserting ” OR ” “=” in the user name or password text box:
The code will create a valid statement like:
SELECT * FROM Users WHERE Name =“” or “”=“” AND Pass =“” or “”=“”
- SQL Injection Based on Batched SQL Statements: Most databases support batched SQL statements. A batch of SQL statements is a group of two or more statements, separated by semicolons.SELECT * FROM Customers; DROP TABLE Orders
How SQL Injection Works?
A SQL statement also consists of a predetermined set of parameters. The following is an example of a login form in SQL:
SELECT * FROM users WHERE username = ‘$username’ AND password = bcrypt (‘$password’)
After entering their username and password, the statement is completed, following which a query is sent to the server to retrieve the user’s information from the database.
When a vulnerability exists in a SQL statement, the attacker would be able to enter complex scripts into the forms to interfere with the preexisting parameters to alter the meaning of the complete statement.
How to prevent SQL injection attacks?
- Discover SQL Injection vulnerabilities by regularly testing the web applications by using both static testing and dynamic testing
- Use whitelists in place of blacklists and avoid filter user input based on blacklists. If possible, verify and filter user input using whitelists only.
- Mitigate the impact of SQL Injection vulnerabilities by enforcing the least privilege on the database, this way each software component of an application can access and affect only the resources it needs.
- Use a Web Application Firewall (WAF) for web applications that access databases. This can help identify SQL injection attempts and sometimes help prevent SQL injection attempts from reaching the application as well.