Injection Attacks
      Back to home
      1. Support Center
      2. Injection Attacks

      What Is SQL Injection?

      An SQL injection allows an attacker to run arbitrary SQL code in the database, which may allow him to retrieve, change or delete data from the database.

      Security Assessment

      Security_Assessment_SQLInjection

      CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

      What is an SQL Injection Attack? 

      When a malicious user performs an SQL Injection (SQLi) attack, they typically intend to control the web application’s database server using malicious SQL statements. This allows them to bypass authentication controls required to access and retrieve the contents of the database. This usually is initiated by hackers scouting the application firewall for vulnerable user input points. Once identified, the attacker creates input content known as a malicious payload, executing unauthorized SQL injection commands at the back-end database. 

      Attackers commonly develop SQL injection commands to perform a wide variety of malicious acts, such as:

      • Retrieving user credentials within the database
      • Selecting and outputting crucial system data
      • Appending or adding new data to a database
      • Deleting tables and records from the database
      • Using the back-end database server to access the Operating System

      SQL Injection Webinar

      Below you can find a video that shows our webinar for SQL Injection. We explain the differences between manual and automated testing and show an open-source tool to check for SQL Injections.

      Prevention Guide

      Preventing SQLi attacks is a complex and rigorous process since prevention techniques vary according to the programming language used, the SQL database engine, and the SQLi subtype being addressed. This section explores the tools and best practices to prevent SQL Injection vulnerabilities. 

      Some strategic principles and practices to keep web applications safe from SQLi attacks include:

      Training & Awareness

      Everyone involved in developing and managing the application should understand the risk and impacts of SQL injections. Training should also be extended to users to know why it is essential only to include valid inputs when prompted.

      Filter User Input

      A database administrator should never trust user input. Internal and public user inputs should be filtered and validated before being exposed to the database server.

      Use Whitelist-based Filters

      Attackers will constantly develop clever methods to circumvent blacklists. Whitelisting prevents attacks using a list that only allows certain users to access the protected system. In addition, malicious payloads deployed by SQLi injections cannot execute when they don’t exist in the whitelist.

      Use Updated Web Technologies

      Software updates often include patches for discovered vulnerabilities. Hackers typically rely on these vulnerabilities to deploy malicious payloads. The latest patched versions of development environments and frameworks will meet compliance standards and keep the web application safe from exploits. Most software organizations try to stay ahead of hackers. 

      Regular Scanning

      Attackers inject malicious input through vulnerabilities they discover in the system code. Therefore, security teams should undertake a SQL injection scanner because using the right tools to find any possible SQLi vulnerabilities before attackers can take advantage of them.

      Practical Prevention Tips

      Filter User Input

      For an attacker to successfully execute an SQL injection, he needs to plant some code run by the web application’s database. Therefore all user input should be validated first and limited to the required characters. E.g., you may ask a user to input a username, password, and e-mail address in a registration form. You can limit the allowed characters of these input fields to characters that do not interfere with the database. The following example filters out user input for the three values in PHP:

      if (preg_match("/[^A-Za-z0-9]/", $username) ||
        (preg_match("/[^A-Za-z0-9\!_-]/", $password) ||
        (preg_match("/[^A-Za-z0-9_-@]/", $email)) {
          echo "Invalid Characters!";
      } else {
          # Run Database Command
      }

      Database Mappers

      Most modern web frameworks provide some abstraction of database handling. E.g., Laravel provides Eloquent queries. Created objects are automatically converted and stored or retrieved from the database. In the example of the user registration form, one could make the user object in the following way:

      $user = new User;
      $user->username = $request->username;
      $user->password = $request->password;
      $user->email = $request->email;
      $user->save();

      The resulting SQL statement is automatically sanitized and will prevent SQL injections.

      Sanitize User Input / Prepared Statements

      It may not always be possible to use a database mapper. In these cases, use prepared statements to create your SQL queries. These statements validate and sanitize the user-provided values and prevent SQL injections. E.g., in PHP, you can make a prepared account the following way:

      $stmt = $mysqli->prepare("INSERT INTO users(username, password, email) VALUES (?, ?, ?)");
      $stmt->bind_param("sss", $username, $password, $email) # "sss" here states, that three strings are expected.
      $username = $request->username;
      $password = $request->password;
      $email = $request->email;
      $stmt->execute();