1. Support Center
  2. Injection Attacks

SQL Injections

An SQL injection allows an attacker to run arbitrary SQL code in the database which may allow him to retrieve, change or delete data from the database.

Security Assessment

Security_Assessment_SQLInjection

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vulnerability Information

When a malicious user performs an SQL Injection (SQLi) attack, they typically intend to control the web application’s database server using malicious SQL statements. This allows them to bypass authentication controls required to access and retrieve the contents of the database. This usually is initiated by hackers scouting the application firewall for vulnerable user input points. Once identified, the attacker creates input content known as a malicious payload, executing unauthorized SQL injection commands at the back-end database. 

Attackers commonly develop SQL injection commands to perform a wide variety of malicious acts, such as:

  • Retrieving user credentials within the database
  • Selecting and outputting crucial system data
  • Appending or adding new data to a database
  • Deleting tables and records from the database
  • Using the back-end database server to access the Operating System

SQL Injection Webinar

Below you can find a video that shows our webinar for SQL Injection. We explain the differences between manual and automated testing and show an open-source tool to check for SQL Injections.

Prevention Guide

Preventing SQLi attacks is a complex and rigorous process since prevention techniques vary according to the programming language used, the SQL database engine, and the SQLi subtype being addressed. This section explores the tools and best practices to prevent SQL Injection vulnerabilities. 

Some strategic principles and practices to keep web applications safe from SQLi attacks include:

Training & Awareness

Everyone involved in developing and managing the application should understand the risk and impacts of SQL injections. Training should also be extended to users to understand why it is important only to include valid inputs when prompted.

Filter User Input

A database administrator should never trust user input. Internal and public user inputs should all be filtered and validated before being exposed to the database server.

Use Whitelist-based Filters

Attackers will always develop clever methods to circumvent blacklists. Whitelisting prevents attacks using a list that only allows certain users to access the protected system. In addition, malicious payloads deployed by SQLi injections cannot execute when they don’t exist in the whitelist.

Use Updated Web Technologies

Software updates often include patches for discovered vulnerabilities. Hackers typically rely on these vulnerabilities to deploy malicious payloads. Using the latest patched versions of development environments and frameworks will meet compliance standards and keep the web application safe from exploits as most software organizations try to stay ahead of hackers. 

Regular Scanning

Attackers inject malicious input through vulnerabilities they discover in the system code. Therefore, security teams should undertake a SQL injection scanner because using the right tools to find any possible SQLi vulnerabilities before attackers can take advantage of them.

Practical Prevention Tips

Filter User Input

For an attacker to successfully execute an SQL injection, he needs to plant some code run by the web application’s database. Therefore all user input should be validated first and limited to the needed characters. E.g., you may ask a user to input a username, password, and e-mail address in a registration form. You can limit the allowed characters of these input fields to characters that do not interfere with the database. The following example filters out user input for the three values in PHP:

if (preg_match("/[^A-Za-z0-9]/", $username) ||
(preg_match("/[^A-Za-z0-9\!_-]/", $password) ||
(preg_match("/[^A-Za-z0-9_-@]/", $email)) {
echo "Invalid Characters!";
} else {
# Run Database Command
}

Database Mappers

Most modern web frameworks provide some abstraction of database handling. E.g., Laravel provides Eloquent queries. Created objects are automatically converted and stored or retrieved from the database. In the example of the user registration form, one could create the user object in the following way:

$user = new User;
$user->username = $request->username;
$user->password = $request->password;
$user->email = $request->email;
$user->save();

The resulting SQL statement is automatically sanitized and will prevent SQL injections.

Sanitize User Input / Prepared Statements

It may not always be possible to use a database mapper. In these cases, use prepared statements to create your SQL queries. These forms of statements validate and sanitize the user-provided values and therefore prevent SQL injections. E.g., in PHP, you can create a prepared statement the following way:

$stmt = $mysqli->prepare("INSERT INTO users(username, password, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $username, $password, $email) # "sss" here states, that three strings are expected.
$username = $request->username;
$password = $request->password;
$email = $request->email;
$stmt->execute();

For more information about Crashtest Security visit crashtest-security.com