SQL Injection – An Introduction

0
1642
SQL injection

SQL is a programming language, though it is officially pronounced as “Ess Que Ell,” many have chosen to call it “Sequel,” which is sometimes acceptable. SQL Injection denotes an injection attack whereby attackers can introduce malicious SQL statements known as payload to gain control over a web app’s database server.

It is simply a “code injection method that is used to attack data-driven apps by injecting malicious SQL statements into an entry field for execution” – in a bid to access the contents of the database. SQL injection can be said to be one of the oldest, most dangerous, and most prevalent of web app attack. This is because it can possibly be used on any web app or website that utilizes a SQL-based database.

Tricks Used by the attackers for the SQL Injection Attack

For a successful SQL Injection attack to be carried out, the attacker would need to adopt some tricks to bypass the web app to access the database. Some of the trick are as follow:

  • Most attackers make use of the SQL – 92 comment introducer “–”. However, most database servers would ignore anything after “–”

  • Attackers use the normal quote character “ ‘ ”. Anyone linking input to build a SQL query would definitely add such quote to either side of a value in a “WHERE” clause. With this knowledge, the attacker can end the input with the quote and add the SQL injection afterwards.

  • The SQL injector can modify the select queries issued by the application in order to add conditional tests in the “WHERE” clause. This can trigger the result-set to never be returned or to always be returned.

  • Attackers understands that some database servers permit the issuance of multiple statements all at once, with a “;” separating statements.

When an attacker combines these tricks, he/she can easily gain access to databases through SQL injection attack, provided the web app is not coded properly.

Ramifications of Successful SQL Injection Attacks

To be effective, SQL injection must take an advantage of a security vulnerability in a web app’s software. Under normal circumstances, the attacker can use the SQL injection to achieve any of the following: bypass the web app’s authorization mechanisms,

  • become one of the database server administrators,

  • delete, destroy data/records or make them unavailable,

  • carry out a complete disclosure of data available on the database server,

  • trigger repudiation issues like balance alterations or transaction cancellations,

  • interfere with existing data,

  • tamper with data integrity,

  • retrieve all the data within the database server, and

  • Spoof identity.

Hence, the attackers can gain access to data/records such as intellectual property, trade secrets, personally identifiable information (PII), customer data, and any other sensitive data/records via using SQL Injection.

Defending against SQLi

There are lots of techniques that can be adopted by an organization to curb the attackers from stealing or corrupting their data through SQL Injection attack. Here are some of the common prevention coding technique for SQL injection:

Sanitization

This is the most common protection technique. This technique has to do with sanitizing all data supplied by users. The user data would be sanitized so as to eliminate any character string that may be passed directly to an SQL database or that the interpreter may execute as SQL commands. Usually, sanitization entails replacing executable commands that may be within user data with other, non-executable data, and commands.

Filtering and validation

A well-crafted malicious external input is a common source of SQL injection. Hence, we recommend you to accept only approved input. Such procedure is referred to as input validation. To mitigate SQL injection, there are basically two forms of input validation, these are whitelist validation and blacklist validation.

The whitelisting method seems to be a better method of mitigating SQL injection. What whitelist validation does is to test an external input against a collection of authorized and approved input. With this procedure, the web app understands the exact desired input and rejects input that fails a test against the authorized input.

While blacklisting only tests external input against collections of stored nefarious inputs. A web app has a compilation of all the nefarious inputs, and then test the external input against the compilation. Blacklist validation is not so potent as attackers can easily bypass it once they can successfully build a different malicious input that is not already included in the complied blacklist.

Avoiding unsecured URL parameters

In order to prevent SQL Injection attack, organization can take steps to prevent unsecured URL arguments and parameters like such found in the object relational model (ORM) that activate database operations. It is important for organizations to use a secure API instead for its database access.

Use LIMIT commands within SQL operations

Another technique is to limit the scope of SQL commands within the SQL operations. In case, an attacker gets access into your database via a successful SQL injection. This technique would minimize the disclosure of data.

Stored procedures

These are the defined and stored SQL statements within the database itself and are called from the web app. Usually, developers only need to create SQL statements with parameters that can be automatically parameterized. Though, developers may also build dynamic SQL queries inside stored procedures. And safely implement the stored procedures safely so as to avoid the generation of dynamic SQL inside.

Principle of least privilege

This method offers a standard security control that enables an organization to mitigate SQL injection attack. This principle works by ensuring that application accounts do not assign Database Administrator access or any other type of admin access onto the database server. More so, you should place restrictions on application accounts to least privileged access based on access requirements. For instance, read access should only be granted to an application account that only requires read access and also to only the table the account needs to access. This procedure ensures that even when an application is compromised, an attacker cannot take the advantage to gain access to the database.

Summary

Conclusively, through the use of SQL injection, an attacker can unlawfully gain administrative access to a database. Such attacker can subsequently alter or delete part or all data stored in a database. More so, the SQL injector can access confidential information and compromised the integrity of data within the database. You can prevent SQL injection attack by implementing proper coding techniques and updating server software with latest updates and patches.